Almost all of the applications that we use on a daily basis are developed with building blocks, code libraries and similar. It makes sense to do it that way, because it saves time not having to reinvent the wheel for each application, and some of the functionality libraries provide can be fairly complex to code.
The flip side to that is attackers are now targeting reusable code in so-called supply chain attacks which, if successful, can compromise a large amount of systems.
Here's the audio from the RNZ Nine To Noon segment on April 11 this year, talking about supply chain attacks including the recent one on the XZ data compression utilities, and how artificial intelligence (AI) can complicate the incidents.
Just a day after, the United States Computer and Infrastructure Security Agency (CISA) issued an alert about a potentially huge supply chain attack at a popular data analytics firm called Sisense. How that breach will pan out remains to be seen, but our CERT NZ agency was involved in the work, and told us this:
"Last week the US Cyber Security & Infrastructure Security Agency (CISA) reported that Sisense, a company that provides data analytics services to businesses, had its customer data compromised. CERT NZ was made aware of this compromise through its international networks and is monitoring the situation."
"Currently the impact on New Zealand businesses is minimal and those directly affected have been contacted by CERT NZ," a spokesperson for the cybersecurity agency said.
2 Comments
Thankfully software supply chain attacks take a lot more effort then the usual way of breaking in; the security flaws going through the door of every company and leaving the same way unimpeded. Sadly though it is still a risk to be aware of but in general companies have a lot more risks with humans and human bias presenting security loophole nightmares. The old joke of dressing up as cleaning or repair staff or a cheap phishing attack of upper management accounts (which is very successful because none of them are security experts or put in place good governance practices to this day in most companies in NZ).
Only data centers start approaching some security in NZ but even then it is hilarious some of the risks. e.g. some servers just being pulled out and trashed accidentally so when the website services went down finding out the thing that was wrong with the server is that it did not exist anymore. Or the rat that died behind the rack and staff left it rotting because they were afraid to unplug anything until a bright person from a competitor company offered to help "remove" the rat (thankfully at least it was resolved in short order and the rest of the rat was removed). Or lets not forget the hilarious government department security breaches like having no security to their networks so anyone on a public terminal could access significantly private data, including medical and financial details, held by MSD. Yeah the limitation there was how much data the person could take in a reasonable amount of time before close of business day. They did not hack the system, or attack it. They used a public terminal and the public access to the data provided. If the government and their lobbyists were not so embarrassing in tech then perhaps the billions we get charged for consultant and IT services would not sting as much or be so outrageous.
The physical & human risks in companies are always going to be present and factor more then complex ones, and sadly there is a near guarantee of hacks or loss of data. Hence ALWAYS backup & secure backups, install good governance so more than one point of infection or breach of security is needed for key functions, ensure private data has even basic security (let alone adequate security and this is an issue in NZ). Without any of that they are not prepared for the software supply chain attacks, let alone the easier ones. What makes a software supply chain attack attractive is that it can hit many companies or individuals that have lower security levels. But then attackers can do similar by hitting things like accountant or legal offices (and this is much much easier to do and immediately gives access to sensitive information). The point of attack holding sensitive information & numbers of companies or individuals interacting with it will mean attackers can increase likelihood of success and amounts stolen.
"The attack appears to have started when undisclosed threat actors gained access to the company’s GitLab code repository, according to security journalist Brian Krebs. The repository included credentials or tokens that could provide access to the company’s Amazon S3 buckets, according to the report. "
What the hell?! Seriously... "repository included credentials or tokens that could provide access to the company’s Amazon S3 buckets"!! Sure makes sense how they got in. The front door was practically open. A single phishing attack of any key employee and oh look here are all these security credentials to server data nicely stored in an easy to download UI interface.
"a key issue with Sisense is the company requires access to the confidential data sources of their customers. The company has direct access to Java Database Community connections, secure shell protocol and SaaS platforms"
facepalm yeah that would be a red flag but hey how many of the CMS or ERP plugins are installed and used without any security checks or restrictions on use and access to data. How many managers push for use of them without any concept of security risks and what they are approving. How many managers ensure they have allocated enough time for security reviews (or any security review) and how many ensure all staff get adequate upskilling and training time.
Guarantee you at our major tech, govt tech & consultant companies that number approaches zero pretty fast. Tech & info security and good governance is not even a part of many business courses (too busy writing value statements and setting goals), and our even less educated politicians actually get awarded tech governance roles with even less of a clue.
Don't get me started on the health sector, it is tragic enough as it is.
We welcome your comments below. If you are not already registered, please register to comment.
Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.