While we have largely accepted the fact that cybersecurity is becoming a never-ending war, there often comes along some particularly nasty attacks that leave us reeling in their wake. One such recent attack is the ransomware attack on widely used file transfer software MOVEit. Considered to be one of the biggest cyberattacks of the year, the ransomware attack has affected dozens of major organizations, such as British Airways, the BBC, PwC, EY, Siemens, and Schneider Electric.
The extortionist ransomware group, Clop, has claimed responsibility for carrying out this attack, which exploited a zero-day vulnerability in MOVEit. What makes this attack different is the (intended) impact it had on MOVEit’s supply chain, affecting other organizations that use the software.
Did you know?
Zero day is a term used to describe newly discovered security vulnerabilities in software. These are referred to as zero-day vulnerabilities, because the vendor has zero days to work on a security patch or an update to fix the issue.
The MOVEit attack suggests more cybercriminals are recognizing that if they can compromise a trusted vendor, they can topple all the vendor’s customers. The increase in such supply chain ransomware attacks further fuels concerns that cybercriminals may have struck a simple yet lucrative business model that furthers the extent of the damage they can inflict, thereby greatly influencing their bargaining power.
You’re only as safe as your weakest link
Supply chain attacks are known to be far more severe than traditional cyberattacks that target a single organization. While organizations can be hyper vigilant about their own perimeter security, gaining visibility and control of their entire vendor network poses a much greater challenge. Add subcontractors that vendors engage into the mix, and you have an even murkier landscape that is prone to multiple vulnerabilities and cyber risks. As enterprises grow increasingly reliant on third-party vendors, the risks, too, grow multifold. Supply chain attacks are lethal because they violate the chain of trust, bypass typical defensive mechanisms, and cause crippling damage to their victims.
Once in motion, supply chain attacks can be extremely challenging to mitigate, as they can go on to affect secondary-level organizations, too. This is exactly what happened with the MOVEit attack. The attack on MOVEit allowed Clop to compromise MOVEit’s customer, Zellis, which in turn gave the ransomware group access to Zellis’ customers, including British Airways, the BBC, and Boots. Similar patterns were also recorded in the December 2020 SolarWinds attack.
Future of cybersecurity
An alarming point to consider in this latest ransomware attack is that the Clop group has demanded payment to not release the stolen data rather than to decrypt the affected systems. Attackers are more frequently using tactics like this to raise the pressure on victims, making their jobs easier while victims struggle to retain control over their sensitive data.
If you’ve been following predictions by industry analysts, you probably saw this attack trend coming. We need to be prepared for more attacks like these on file transfer applications and document management programs in the future, as cyber criminals have realized the value of such data-rich tools. The main question that remains then is how do you effectively assess risks and implement suitable controls for your supply chain?
One of the major problems in securing the supply chain is ascertaining where the organizational responsibility lies. Different departments work with different aspects of the supply chain, but there is no one person or team who is accountable for the whole thing.
Some important questions to consider are, how are security clauses in contracts with vendors and suppliers enforced? Who is responsible for ensuring that subcontractors also have appropriate levels of security and compliance, and how is this enforced? Does your organization’s incident response plan include risks analysis, threat detection, and mitigation for the entire supply chain? What happens to the existing vendors and subcontractors who may not exhibit required levels of security and compliance?
While these may seem daunting and overwhelming to tackle all at once, taking a step-by-step approach will enable you to gradually ensure 360° security for your organization.
1. Assess your organizational structure: There may be hundreds of third-party vendors that your organization works with, so be prepared for this step to take time. You may also need to assemble a team to oversee this. This team will need to hold all levels of suppliers accountable while ensuring the overall security of the organizational supply chain.
2. Verify supply chain security: Review and monitor the key contracts in place and ensure that the adequate security practices are being adhered to throughout the life cycle of the contract.
3. Validate data protection and stakeholder communication guidelines: Ensure that all best practices and process incidents, breach notifications, and industry reporting requirements are being met.
4. Foster trust in your supply chain partners: Keep your vendors and subcontractors constantly informed about the importance of maintaining clear and prompt channels of communication. Lead by example and keep your vendors in the loop about your internal security best practices.