The software supply chain saw a 51 per cent increase in cyber attacks in 2021, according to a new report. Large-scale attacks, like SolarWinds and Kaseya, made the headlines – but were single examples of a problem affecting thousands of companies. Attackers targeted supply chain firms for the publicity and large-scale disruption on offer. Where normal companies will see an attack confined only to their services, supply chain software has the potential to travel down the line to customers and partners. According to the report, supply chain companies have increased their IT defence budget by around 10 per cent to address security.
An attack on a Ukrainian satellite service has left the rest of the world anxious about future attacks. In February and March, the Ukrainian KA-SAT Viasat satellite network was the victim of a suspected Russian attack, adding to the ongoing ground war. The incident resulted in an interruption to connectivity, causing a period of disruption for clients and services. Now, the US has warned satellite providers worldwide to be on alert. Due to the success of the attack – and the potential for widespread disruption – a CISA-FBI advisory board has recommended that security teams increase defences where possible. The board also advised that attacks against critical infrastructure satellites were even more likely.
In late March, the infamous Lapsus$ hacking group posted a number of concerning messages online. In a series of posts, the group claimed to have obtained Microsoft source code from Bing Maps, Bing search engine, and Cortana. It also posted evidence that it had taken control of an administrator account at Okta, a network authentication provider. Okta provides services for tens of thousands of companies, including FedEx and some local councils. Eventually, it was revealed that Lapsus$ had gained access through a single Okta subcontractor employee’s account with elevated administrator privileges. The attack is another example in the software supply chain access proving a critical security flaw.
Another established hacking group, FIN7, has begun to attack supply chain software through reused passwords, according to recent research. FIN7 gained notoriety in the 2010s for attack point of sale devices with credit card stealing malware. However, they have now begun to target the supply chain – following the pattern set by many other hacking groups. This shows that FIN7 may now be prioritising ransomware as their main source of monetisation. The research revealed that FIN7’s main method of entry into systems was targeting password reuse, logging into an employee’s account once they had obtained the reused password. Once inside the system, they were then able to carry out their new attacks.
City law firms in London have been placed on red alert for cyber-attacks. According to recent warnings, City firms may be targeted due to the ongoing situation in Ukraine. And, with such high-profile disruption and lucrative ransoms tempting attackers, law firms may become a new favourite aim. Law firms are also soft targets due to the incredibly sensitive client data stored on their servers. If a breach were to occur, not only would law firms fall foul of GDPR and data protection laws, but could also breach client-attorney privilege. A recent attack on the Ince Group, a London-based law firm, saw the beginning of the difficulties City firms could face if the predicted attacks do occur.
A novel phishing technique called browser-in-the-browser (BitB) attacking has been uncovered by an Infosec researcher in mid-March, which uses simulated browser windows and other authentication service providers to steal login credentials.
BitB attacks act as an extension to existing clickjacking or user-interface redressing that alters the appearance of browsers and web pages to trick users to bypass security controls. With this technique, an entirely fabricated replica is created – a user thinks they are seeing the real popup window, but it’s just faked within the page.
“Very few people would notice the slight differences between the two,” according to the report. “Once landed on the attacker-owned website, the user will be at ease as they type their credentials away on what appears to be the legitimate website.”
Julia O’Toole, Founder and CEO of MyCena Security Solutions, says that businesses should remove the danger presented by BitB phishing attacks by ensuring that employees can no longer create, view or type passwords to access the company files, apps and systems. This amounts to taking back access control and removing the risks of human error from the network access process.
“To the untrained eye, which is likely to be the majority of workers, these types of phishing attacks are dangerous yet impossible to spot. All it takes is for one unsuspecting employee to make a mistake and it compromises the entire network.”
“Attacks like these aren’t for quick cash payouts. Actors will sit inside your system and wait to cause the most damage. All the while, the user continues working without realising they’ve unwittingly given their credentials away.”
“Additionally, this type of attack has been utilised in the past. In 2020, cybercriminals used similar BitB techniques on the video game digital distribution service Steam to gain access to consumer credentials. Whilst this may cause damage to individuals, what we’re seeing now is a more aggressive assault on an organisational level.”
While some have recommended using a password manager and Single Sign-On tools to circumvent the problem, as they automatically input passwords without falling for the replica windows, this still presents major issues.
“As we’ve seen recently, centralising multiple passwords behind a manager master password does nothing to prevent access fraud. It only centralises access information for hackers in a breach scenario. This was the case of the Lapsus$ group who, after infiltrating Okta’s network, were able to easily find an Excel document filled with Lastpass master passwords to access their customers' domain administrator accounts.”
“Password managers and Single Sign-on tools may provide a surface layer of convenience for users, but in the event of a breach also offer their company’s keys to the kingdom on a silver platter. Instead, access segmentation and encrypted passwords distribution is a more effective solution that completely removes the potential threat of human error or fraud from the equation and safeguards access integrity.”
“Additionally, businesses might see the appeal in doubling down with multi-factor authentication (MFA) methods as a precaution. But their initial loss of access control means that not even MFA can guarantee the legitimacy or integrity of access. Cyber attackers have found many ways to infiltrate those as we’ve seen recently through known vulnerabilities in MFA protocols. Relying on MFA merely postpones an inevitable breach of access, rather than securing your cybersecurity and cyber resilience outright.”
“Cyber attackers are more intelligent and relentless when it comes to modern-day phishing techniques. Relying on traditional security approaches is no longer enough.”
“Instead, returning access control, segmentation and security to the organisational side ensures that employees non longer need to create, see, or type passwords. Using a safe path from receiving, storing to using encrypted credentials, means they don’t have to worry about leaking them accidentally to cyber actors.”
