Top 5 Supply Chain Vulnerabilities Leading to Ransomware

While earlier generations of ransomware attacks targeted a single organization, companies with large customer and partner ecosystems are now the goal. Previously threat actors would infect one company. Now they target key players to infect thousands in a shockingly short amount of time.  Consider Kaseya as a prime example of this new strategy. REvil gained entry to one company and spread to 60 of its customers. Those customers have managed service providers who support 1500 other businesses. This domino effect provides ransomware gangs with greater leverage and more opportunities to profit. These dynamics are not going away, so companies must change their practices to prevent ransomware.  While there is no panacea for cyber threats, there are preventative measures for vulnerabilities. These are five common supply chain vulnerabilities that often lead to ransomware:

Vulnerability 1: Third-party vendors and suppliers

The most significant and unsurprising vulnerability to supply chains is third parties. From software suppliers to HVAC repair, companies rely on numerous contributors to support the global economy. Yet, for every vendor, supplier, or other party added to the supply chain, there is a corresponding risk.  Not every third party is technically sophisticated or mature enough to recognize and prevent spreading ransomware. Nor does technical skill prevent third parties from infecting others. SolarWinds, a technology company, found itself a primary spreader of malware via its Orion software. Retail giant Target was breached when an HVAC repair company unknowingly infected their systems. The same vectors used in these attacks would have worked just as well for ransomware. Companies should be encouraged to audit their third-party security via security rating companies such as SecurityScorecard prior to being integrated into a supply chain. Or to jump directly to a third-party risk management solution

Vulnerability 2: Supplier Access

Supplier access, be it digital or physical, creates vulnerabilities. Digital access to the type afforded to technology partners is particularly important. After all, there is the expectation that software updates or patches from the vendor are safe, and no one is checking individual code. However, if your technology vendor is compromised, access becomes a significant vulnerability and opportunity for ransomware. This was, unfortunately, what occurred during the cyberattack on Kaseya.  Physical vendors as well have a similar risk. Along with the skills they bring, they also carry the risk of spreading malware via diagnostic tools and other technology. A threat actor can infect a seemingly low-risk vendor with malware via phishing, review the clients afterward and then proceed with a ransomware attack. This strategy is effective since many physical vendors are not cybersecurity experts and may not have the training to avoid infection. This occurred when retail giant Target was breached when an HVAC repair company unknowingly infected their systems. When protecting against vendor access vulnerabilities, the best option is to secure against unauthorized remote access or phishing campaigns. CybelAngel Asset Discovery and Monitoring is effective in locating unsecured RDPs to unauthorized access, while Domain Protection effectively prevents the phishing campaigns used to infect physical vendors. 

Vulnerability 3: Domain Squatting

Domain squatting is an under-the-radar threat when thinking of supply chains and ransomware. From ordering additional supplies, updating product listings, repair requests, documentation needs, there are many reasons why both you and your vendors would be interacting with each other’s web domains.  A simple typo squatter could lead an unsuspecting employee to log in to a fraudulent page giving threat actors both their credentials and an opportunity to infect a machine with malware. This type of attack is economical for threat actors requiring little work with potentially huge rewards.  Domain Protection is key to preventing cyber-squatting, phishing campaigns, and watering-hole attacks that are key vectors for ransomware. CybelAngel Domain Protection reduces the risk faced by companies by locating and removing false domains. 

Vulnerability 4: Old Technology

When considering the risks to and from your supply chain, the level of technical sophistication they possess is critical. As technology ages, the number of known vulnerabilities grows, and patches to close those vulnerabilities shrink. It is not uncommon to find vendors running out of date, unpatched, or no longer supported operating systems. In March 2021, Microsoft found four CVEs affecting an older technology option, on-premise Exchange servers. It is estimated that 30,000 organizations were breached in a cyberespionage campaign that easily could have a ransomware attack.  Another issue is that of decommissioned assets that remain connected to the central infrastructure. These decommissioned assets, whether databases, file servers, or backup media, are not secured with the latest patches leaving them vulnerable to exploits.  Often with old technology gaining awareness is the first step in securing them against malware infection. Asset Discovery and Monitoring from CybelAngel is key in locating assets so they can be evaluated and resecured. 

Vulnerability 5: Shadow IT

Shadow IT is a significant boon to productivity and ransomware. It’s reported that 50% of a company’s technology spending is done without guidance from IT departments. Thus, there are unknown assets to those responsible for cybersecurity and configured by those who may not have the skills necessary to make them secure.  In some cases, if the supplier provides independent items such as IoT devices, there may be a level of authentication or built-in security. Default authentication options should not be taken as a reason to bypass IT as many IoT or secured devices that use commonly available default credentials.  Many shadow IT issues are easy to fix so long as IT is made aware of the issue. CybelAngel Asset Discovery and Monitoring is a valuable tool for locating these unknown and unsecured assets before threat actors abuse them.