Since the start of the COVID-19 pandemic, CovertSwarm has detected a significant increase in the number of new and highly-targeted cyber attacks against organisations and their supply chain partners.
We have found many of the techniques being used are not typically tested-for by an organisation's internal security team, or form part of their traditional penetration testing (pen test) regime, or red team engagements.
As a result, we now see targeted organisations - especially their users and supply chain partners – increasingly unprepared to detect and respond to these new-style cyber attacks.
In times of perceived ‘crisis’ - where there is a sense of ‘panic’, ‘confusion’ and staff are trying to rapidly respond to uncertainty - they will often simply ‘react’ to messages: it is at this point that they are most likely to fall victim to a cyber attack. ‘Threat actors’ who have malicious intent - such as Advanced Persistent Threats (APTs) and state-sponsored hacking groups - will always look to create and take advantage of such stress-inducing situations. Prime targets in such a scenario are the users and supply chain partners of a target organisation.
We see more and more cyber attacks gaining success through threat actors tailoring their attacks to exploit partners of businesses, and then moving laterally to breach their intended target. This is often achieved through exploiting data in the pubic-domain: recent organisational changes, PR news and general update 'press' (e.g. a change in CEO, office location, or recent M&A details) associated with the ‘target’ or their supply chain partners. Some of the newest techniques that we have detected being aimed at cyber-exploiting organisations and their supply chain partners include:
· Targeted Covid19 Phishing – Not your typical ‘eBay’ or ‘Banking’ style scam, the threat actor will pose as a government department/official; NHS ‘track and trace’ representative; or the 'World Health Organisation' informing the users that they have been in close contact with someone who has tested positive for COVID-19. They go on to ask them to visit a fake website into which they are encouraged to enter personal information - on occasion their corporate IT credentials. These user-disclosed details are later used to gain access to vulnerable commercial systems.
· Targeted Vishing – Vishing is ‘Voice Based Phishing’ – Our analysts have observed a number of attacks where the threat actor has posed as a member of the target company’s IT department, and spoofed the inbound-displayed phone number to show the ACTUAL number of their genuine IT department. The threat actor will then proceed to convince the user they are a member of ‘their IT support team’ and have the unsuspecting user provide access to their machine and/or provide their commercial IT credentials.
· Targeted Smishing – Smishing is ‘SMS based Phishing’ – In these attacks the threat actor has been shown to send an SMS appearing to be from someone senior within the target organisation, or a supplier, requesting they visit a website; call a specific phone number; or perform an action that exposes data that can lead to breach.
· Known, unpatched vulnerabilities – It is increasingly common (even more so given the limited and often-stretched IT resources since the pandemic) to see known software vulnerabilities left unpatched within companies, and between supply-chain systems that link together multiple companies. These unpatched vulnerabilities are simply waiting for a threat actor to discover and exploit them. Understandably, so many organisations are focusing on keeping their business running at the moment, that security best practice is being left behind. Attackers know this. Many organisations we speak to understand they are exposed to this risk but are simply overwhelmed by the ‘noise’ of not knowing what to secure first.
· Unknown Exploits – Attackers are always looking for the newest ‘way in’ and will be constantly looking for new, previously unknown attack vectors, or ‘0-days’. These points of ‘new’ compromise can be created accidentally within a vulnerable organisation from its in-house developed software teams; commercial off-the-shelf software/products updates; or simple misconfigurations left behind after frequent IT changes. We see this problem further amplified within fast-moving organisations - including those who build software that glues supply chains together – inadvertently creating new vulnerabilities between each incremental release of their latest supply-chain product. As such, points of compromise are everywhere, and are continually being created – they just need to be found and exploited. 'Occasional' pentesting misses the ability to detect these new vulnerabilities at the point of creation, and so they make it to production and expose the business to an increased risk of breach.
In all these scenarios – the actual attack and barrier to entry for the threat to be fully exploited by the threat actor (including the cost versus reward for them) is very low: Threat actors can perform these attacks from anywhere in the world and cause irreversible damage to the target company, with inevitable impact to its supply chain partners – many of whom we have seen being caught in the resulting ‘cyber fallout’ and suffering secondary breaches, or cyber-driven fraud. All for a few dollars of cloud-compute resource.
To compound this risk, once a threat actor has a foothold within an organisation, they will rapidly seek to exploit further assets and the connected businesses who reside in the same supply chain. Increasingly, CovertSwarm has observed on the ‘dark web’ that these attackers will 'sell' their initial breach of a business - and its ongoing access into that targeted business - to another threat actor who will carry out further attacks. This is an increasingly common commercial transaction, and a type that is proving to be highly lucrative for the nefarious attackers.
What is the answer to addressing the risk of these new styles of cyber attack?
Many organisations will be spending money auditing their supply chain; running penetration tests or ‘red team’ engagements; vulnerability scanning; or simply preying that their latest security product purchase works to further secure them – all of these options absolutely have their place as part of a wider security programme. However, the real and most relevant answer is to look to cyber organisations offering the same level of constant cyber attack as the threat actors. CovertSwarm does this with a focus on continuallyhelping organisations improve their security posture; reduce cyber security fear and uncertainty; and to allow our clients to secure themselves and their supply chain partners by focusing on addressing their realand most critical cyber risks.