Sign-up for the latest Lookout news and threat research
Between SolarWinds and Log4J, supply chain attacks have become a common occurrence over the past couple of years. In this episode, host Hank Schless is joined by Vodafone security experts Andy Deacon and Verity Carter-Johnson to define what a supply chain is, what the intended and unintended consequences are, and what legal ramifications exist for those who fall victim.
Hank Schless 00:00
Hey everyone, welcome back to another episode of the Lookout podcast. I'm your host, Hank Schless. Glad that you're joining us today. One of the things that has been top of mind in the cybersecurity world is the idea of supply chain attacks. And, in fact, if you look at the 2022 predictions episode we did just a few weeks ago with our CTO of SASE products, Sundaram Lakshmanan, he speaks about the interconnectivity of cloud and on prem infrastructure devices and apps as a huge issue in our work-from-anywhere world. So I figured that for today, it'd be great to dive into this idea of the supply chain a bit more. I'm very happy to be joined by two of my colleagues Vodafone security thought leadership manager Andy Deakin and security specialist Verity Carter Johnson. Welcome to the show, Andy and Verity.
Andy Deacon 00:59
Hey, Hank, thanks for having us. Nice to be here. Looking forward to it. Thank you.
Hank Schless 01:03
Great to have you both here. So I'm really excited about this chat, because I always enjoy bringing in some external opinions on these things, and really getting an idea of what people are thinking about out in the broader market. And, Andy, I'll start with you here. If we can just levelset a little bit and make sure we're on the same page. The idea of the software supply chain attack was all over the news last year with SolarWinds. So, can you just tell the audience a little bit about what these attacks are and why they're such a hot issue right now?
Andy Deacon 01:29
Yeah, cool. Sounds like a great place to start. So, when we're talking about supply chain attacks, really, you've got to divide into two. So you've got the software attacks. And that's what's been most prevalent in the news recently, things like SolarWinds… which we'll talk about in a moment. But essentially, the aim is to hijack or infiltrate a piece of software that's used en masse, and therefore that gives you access to all sorts of companies, customers, individuals across the globe. And you can kind of cherry pick and see what you get. So you've not necessarily got a target in mind. But if you hit some piece of software, like SolarWinds, that's used everywhere, you kind of got, you know, the mother lode that you've got everything you want in one job done, thanks a lot. The other sort of supply chain attack as well that you've got, which is not spoken about as much these days, but it's still really prevalent, it's probably more along the sorts of physical attack. So that would be where I would want to infiltrate an organization in a supply chain, and possibly use that to jump into that larger organization at the top, or affect that organization in some way. So it might be that actually, say you're a manufacturer and you make screws for airplanes. I might want to disrupt that airplane, do anything else like that, bring it down along those lines. One of the things I could do is if you're the manufacturer, I could get into your organization, tweak your CAD file, make the screw half a mil smaller. Nobody's going to notice till the planes in the air –– right? –– then, potentially, you're gonna see a high failure rate. Or, likewise, for food security and things like that, I may get into your systems, alter the mixes, suddenly put whey powder in or another allergy or something else like that, into a product that doesn't have that in. You've then potentially got mass recall, you know, public outcry, all that sort of stuff on your hands from that sort of side. So there's two sorts of supply chain attacks that you've got to consider and understand which one it is that you're defending against or that you might be affected by.
Hank Schless 03:26
Yeah, absolutely. And in some cases, it sounds like it might be a little bit of both. I mean, getting physical access can obviously be particularly detrimental. But you're talking about something like CAD files, and you know, there's still sort of a digital element to that. So could you use the software supply chain to then affect the physical supply chain? You know, is that possible, physically?
Andy Deacon 03:44
I think it all starts out with the intent that you've got. So the intent is slightly different from the outset with both of those attacks. Like if you're doing more physical attacks, your intent is you've got this end goal in mind and you want to affect something. Some of the more software supply chain attacks are more about gaining access en masse or gaining access to organizations that are more difficult to get into using other methods. And seeing what's there, stealing the data, selling it or selling access –– it might be that I just get in and then I sell the access. I don't do anything other than sell access to another group of bad guys. But it's those sorts of things. It's the intent that makes them slightly different, I think.
Hank Schless 04:22
Got it. Yeah, that makes sense. And you mentioned before Log4j, That was obviously in the news late in 2021. That's a prime example of software supply chain attack. Can you dive into that a little bit? Kind of into some of the victims, the chain there. What happened?
Andy Deacon 04:37
To be honest with you, I don't think we've started to see the ramifications for that yet, or it's not started to hit home. Right? The vulnerabilities have just been announced. We've seen the first live exploits. We can see that people are scanning, looking for vulnerabilities to get in and see what's there and use it. But essentially, you know, it's a bit of software that's used for logging on the back end of most applications, web servers, things like that. So it's prevalent and a lot of people out there might not know that they're using it as well, because it's buried quite deep in the stack. So you've got this thing. And if you construct the right command on the front end, it'll log something in the back end, or very helpfully process that log file and execute your command. If you've crafted it properly, it won't check anything, it won't ask for permission, it will just go ahead and do exactly what you've told it to do. So download more malware, go to this website, return this information to this address, anything you want; it's got to be crafted in the right way. But you know, you can do that. So it's a great example of the supply chains of vulnerabilities and attacks in that it's used everywhere, by a lot of people en masse. It's got the highest CBS rating that you can get, the 10. It's really easy to exploit, which means actually loads of people are vulnerable to it. And they probably don't know that they are because they're not aware that using tools or things like that, that actually have it in the backend. For years, we're gonna see servers that are plugged in somewhere that somebody forgot to patch or they don't know exists. And we're only just starting to see the outcome of, kind of, all of this Log4j. So at the moment, keep your eyes peeled for what falls out really?
Hank Schless 06:09
Yeah, absolutely. It almost sounds like how Microsoft Exchange vulnerabilities are popping up, it seems, over the last couple of years, pretty consistently. What I think is most interesting about it is that a lot of the supply chain attacks on the software side are about leveraging, exploiting sort of the implicit trust not that we have as humans, but it's actually like the trust that links these systems together. And I think that thinking back to what I mentioned at the start, with the interconnectivity of apps and data and platforms and all this stuff. I think it's sort of the prime example, right? Like, we may put the, you know, the integration in place. We may hook up the API's, whatever it may be. But it's all about sending a particularly crafted string of code into a vulnerable server. It's going to automatically process it and then make the call. I think, in this case, they then made a call out to what was, I think, either C2 or some sort of malicious source command to control for that, and then it pulled in something malicious. So again, it's automated functionality that people are taking advantage of.
Andy Deacon 07:04
It is, and that's a kind of great way, think about it really. And the sort of interesting thing that separates the Log4j vulnerability out slightly as well is it's actually abuse of a built-in function that's designed to help developers perform commands on the back end. So it's not like somebody's found a weakness and in a lot of the other things in other ways they do through malware, or through memory overflow, to exploit these things and gain access. They're just simply taking advantage of functionality that's in there to do a different job and using it in a different way, which kind of brings us back into this secure-by-design mindset. And when you're designing these features and you're using them as software developers, think about how they might be used maliciously or nefariously. Because what you think is a good thing, in the wrong hands is a pretty useful tool.
Hank Schless 07:51
And in terms of security, it sounds like a lot of times it's more about the access, right? So it's understanding what users and devices are doing across the entire infrastructure, and also how they're interacting with data. Like that. One thing a lot of people kind of don't know if it's, like, mixed up or just sort of mashed together, is the idea of all of these types of attacks. When it's supply chain ransomware or whatever it may be –– all being a quote, unquote, data breach, right? But in reality, with access kind of being king, a lot of times it's not that value data –– breaches data –– that was removed from the infrastructure. Whereas like, for example, with these attacks, a lot of times, it's about creating a backdoor to give someone sort of this unbridled access that allows them to sort of circumvent the security solutions that are in place. And then, you know, with ransomware, it's just about encryption. You know, sometimes they may pull some data just as to, kind of, hold as additional captive for the whole thing. But I just think it's interesting to kind of break it all down there. And also, being able to do all of that across both cloud and on prem, is difficult, to your point about seeing the future of all of this.
Andy Deacon 08:53
Yeah, I think you've made a good point there on access, really, because it isn't necessarily about the data that you steal. For a lot of these, these bad guys and threat actor groups and things like that, access is king. And until they… you know, in a software supply chain sort of attack like this, you don't know who you're going to hit necessarily. You've got a good idea of who you might get, but you don't know. And also, once you're in, you don't necessarily know what you've got access to, how far you can get, or what's there. So you might go well, actually, I've got some good access here into this large organization or government body. But there's nothing I want to do with it right now. So I can either keep in there, keep the access, wait until the pay day comes along, or, you know, something like that, or I sell it onto another threat actor group and say, “Hey, guys, I've got this level of access to these, you know… I'll hand you the keys to the kingdom for you know, some bitcoin.” And that kind of goes on in the background, right? And you kind of touched on the ransomware piece as well. And that's interesting because we're starting to see the evolution of ransomware now, right? So you're starting to see the double extortion types of ransomware as it's kind of being called, whereas, actually, they will encrypt your data. But to get around the fact that you may have perfect backup systems in place and you know, you just go, that's fine, I'll wipe it all and put it back, they're also now doing the extortion element to it. So if you don't pay us, we'll release the data, which will then get into a minefield of other things potentially legally, or from a brand point of view and things like that. So you know that it's constant, constant evolution, which makes attacks like this so dangerous, that you might be breached. And you might not know because you update… Not vulnerable anymore, you might have already been breached, the access might already be there. And unless you then go back through and check for these things, look through log files, look through the command –– the command is structured in a particular way. So absolutely not trawling through, you know, years and years of random log files. You're searching for particular things, which narrows it down and makes it easy to do. But if you don't go and do that, actually, you're not going to know necessarily. So it's important to patch an update. Is it more important to check, check those log files, see what's going on?
Hank Schless 11:09
Right, right. Absolutely. So, I do want to shift gears here a little bit... But in addition to, kind of, the access, the breach, the encryption side of things with all of this, there are also a lot of legal ramifications, so in the United States, the EU, the UK, kind of across the board. So let's keep on the Log4J here. There are legal actions and fines that were talked about in regards to it. Is that correct? What's kind of going on there?
Verity Carter-Johnson 11:33
Absolutely, it's a really current issue at the moment, the whole thing kind of kicked off in the US when the Federal Trade Commission issued an alert following the Log4j breach. So there's a lot stated that legal action may be forthcoming for those who don't patch this issue out of their networks. So, interestingly, the alert actually made reference to the Equifax breach back in 2017 which, like Log4j, was another Apache vulnerability, where the Federal Trade Commission, another trade commission, and all of the 50 US states sued Equifax for failing to take reasonable steps to secure its network. So this kind of increased illegal action and fines for supply chain data breaches means that companies are now not, kind of, just the victim of a cyber crime. But they can also now be the perpetrator of a crime, if they've not patched their vulnerability, which is really interesting. And then kind of moving away from the US towards the EU supply chain, breaches of this type are governed by GDPR, which requires data controllers to kind of implement the appropriate technical and organizational measures to protect the personal data they possess. And there's a maximum fine of 80 million or 4% of annual turnover. So it is quite significant. And then in terms of the UK, obviously, post Brexit, the GDPR requirements were actually merged into UK law, known as UK GDPR, a year ago, which sets the maximum fines fairly similar as well: 17.5 million or, again, 4% of annual global turnover. What is interesting is, going on what the FTC said, this, you know, may seemingly just be the start. And we can expect other regulatory bodies around the world to follow a similar stance in terms of supply chain breaches. And the years of regulators maybe not having teeth or little power are over and these types of fines are maybe now becoming a fact of corporate life.
Hank Schless 13:36
Yeah, absolutely. The other thing, too, is that the examples we've used have been massive public companies that have been around forever. But what about small businesses? I mean, this can be an issue for them. The software supply chain is used by everybody, you know, maybe looking in the context of Europe, in the UK, where the small businesses stand with all this?
Verity Carter-Johnson 13:54
Yeah, so we've seen GDPR fines and small businesses rise hugely in recent years. I mean, they mainly have been related to processing customer data, unsolicited emails, the reselling of personal information. And although we haven't seen a direct example of a GDPR fine for a supply chain breach in a small business yet, I think this is, you know, mainly because small businesses are less security savvy, and they don't really have the tools in place to realize that they have been breached. And often the small businesses aren't the targets. They're just the stepping stone to the big guys at the top. So, you know, hackers don't actually want to alert these businesses. They want to sit undetected for as long as possible, so that they can attack the larger links in the supply chain. These attackers aren't technically stealing the small businesses data; purely an added bonus if they do come across something that is a bit interesting. So, the malware, you know, can sit largely undetected in these networks, meaning the supply chain attacks on smaller businesses are less likely to be detected and reported and then, you know, the fines are low. But, I mean, linking back to the Log4j. From the FTC, the small companies are not only becoming indirect targets, but also the shift in legal responsibility means that they're not having to pay fines if they don't take reasonable action to patch holes. So these companies have got to be more proactive. And it appears only really a matter of time before these small businesses are held liable. And given that fines can be scaled to a percentage of revenue, this can be very expensive for them.
Hank Schless 15:31
Yeah, they may not have the financial fallback that a lot of these other bigger businesses have. So I think it's important just for everyone to understand that this is not an issue just for the big guy. It affects everybody. Andy nodding in agreement.
Andy Deacon 15:44
Yeah, no, I was just gonna say okay, so it's interesting from the small perspective as well, and also the kind of legal stance that Verity just explained as well. In some respects, things like Log4j, things like that are kind of unique in that they are, you know, rated so highly, they're so widespread, they're so easy to exploit. I think that is probably driving a lot of the regulators to go, actually, “Come on, guys, the patch has been out for a while now. You know how important it is to apply this patch. You know, what the risk is. The excuses of going through the ‘all we need to test this; we need to do that’ isn't going to cut it. Because the risk is too great.” I think that's kind of maybe where they're, they're starting to go look.
Hank Schless 16:22
Yeah, come on, draw, drawing the line a bit.
Andy Deacon 16:25
Yeah, pull your finger out. You should have patched it by now.
Hank Schless 16:28
Yeah, we all know you could do it. We're coming up on time here, guys. This has been a great conversation. I've really enjoyed getting your insights on this. But to wrap it up, maybe each of you have one or two things that organizations large or small should, could be doing just to ensure that they aren't caught up in these supply chain attacks, whether it's intentional or not.
Andy Deacon 16:48
Yeah, I think for me, Hank, there's two things here. Is one understanding where you are in that supply chain? Are you the big fish? Or are you likely to be the stepping stone –– right? I think we can all kind of make that assessment that will then affect how you defend yourself, what measures you put into place, what you do. The other thing with that as well is to think about, as you're growing your business, you know, the sales guys are out there or you're out there and you're going, right, “I need to win this contract; it’s going to be amazing.” Nobody thinks what risk that is now going to open that organization up to, right? Or are you now suddenly going to be more appealing to the bad guys as a root into somebody bigger? Are you a florist, for instance? Have you won the contract to supply government buildings with flowers? If so, brilliant, you now might be more interesting to an attacker because they could be using you as a way into that organization. Piggybacking on that reception, so it’s just you've got to have a think about whether things are worth it, whether your security is mature enough, you know. Every big deal has consequences. Have a think about it from a risk perspective. And do the basics. It's the basics that burn all the organizations. It's not the sexy stuff you hear about in the news. It's the basics. Make sure your passwords are unique. Make sure you've used AV and things like that. Make sure you've used tools on the mobile devices that keep you protected. It's all that basic stuff, actually, that will protect you nine out of 10 times.
Hank Schless 18:13
Absolutely. Thanks for that. And Verity, anything to add?
Verity Carter-Johnson 18:16
That was great, Andy. I think just I was gonna say that the National Cybersecurity Center, the NCSC, do provide great advice for small businesses, and particularly relating to Log4j vulnerability as well, on kind of what you should be asking and how you should be responding to that as well.
Hank Schless 18:33
Always good to take advantage of those types of resources. That's all the time we have today, guys. Thank you both for joining me.
Andy Deacon 18:39
Thanks. Thanks, Hank. Great.
Verity Carter-Johnson 18:41
Thank you, Hank. Yes and fantastic.
Hank Schless 18:43
Absolutely. So for everyone listening, thank you for joining us, for taking some time out of your day with us here at Lookout to get the latest scoop on anything cybersecurity related. You can always check out our blog at lookout.com/blog. Follow us on Twitter and LinkedIn at Lookout and, of course, subscribe to the podcast wherever you decide to listen to them. So that's a wrap for today. Thank you all for tuning in. And we'll see you next time.