November 5, 2024

By
Principal Correspondent, CSO |
Global organizations say they are increasingly at risk of ransomware compromise via their extensive supply chains. 
Out of 2,958 IT decision makers across 26 countries in North and South America, Europe, and APAC, 79% believe their partners and customers are making their organization a more attractive ransomware target, according to the latest research by Trend Micro. 
Fifty-two percent of the global organizations surveyed say they have a supply chain partner that has been hit by ransomware. Supply chain and other partners include providers of IT hardware, software and services, open-source code repositories, and non-digital suppliers ranging from law firms and accountants to building maintenance providers. They make for a web of interdependent organizations. 
“Supply chains are an attractive target because they can offer either a poorly defended access vector and/or an opportunity to multiply illicit profits by infecting many organizations through a single supplier,” the research report notes. 
An example of this is the compromise of IT management software provider Kaseya in 2021. Through a sophisticated attack, hackers exploited an internal software vulnerability to push out malicious updates to its managed service provider customers. They in turn infected downstream customers with ransomware. An estimated 1,500-2,000 organisations were impacted.
 Another example is the Log4j vulnerability that saw supply chains experiencing difficulties when it came to keeping track of and patching flaws. Firms are still facing problems as they are unable to comprehensively locate the presence of Log4j across their systems, due to complex software dependencies, according to the Trend Micro research.  
“Many DevOps teams use third-party components to accelerate time-to-market for their software. But these often introduce vulnerabilities or deliberately planted malware,” according to the research.  
The average application development project contains 49 vulnerabilities spanning 80 direct dependencies (components or services called directly by code), while 40% of bugs are found in indirect dependencies (essentially, dependencies of the direct dependencies), according to a recent report from the Linux Foundation.
Supply chain security can be improved by increasing transparency around cyberrisk. However, only 47% of the organizations Trend Micro interviewed share knowledge about ransomware attacks with their suppliers and 25% don’t share potentially useful threat information with partners. 
“This could be because security teams don’t have information to share in the first place. Detection rates were worryingly low for ransomware activities,” according to the research.     
The detection rate of ransomware payloads is 63%—for data exfiltration it’s 49%; for initial access it’s 42%; and for lateral movement it’s 31%, according to the reoprt.
Mitigation of ransomware risk should start at the organization level. “This would also help to prevent a scenario in which suppliers are contacted about breaches to pressure their partner organizations into paying up,” according to the research. 
In the last three years, 67% of respondents who had been attacked experienced this kind of blackmail to force payment.  
While ransomware mitigation starts inside the firewall, the research suggests that it must then be extended to the wider supply chain to help reduce the risk from the third-party attack surface.
One of the best practices to reduce risk is to gain a comprehensive understanding of the supply chain itself, as well as corresponding data flows, so that high-risk suppliers can be identified. 
“They should be regularly audited where possible against industry baseline standards. And similar checks should be enforced before onboarding new suppliers,” according to the research.   
Some of the other practices include scanning open-source components for vulnerabilities/malware before they are used and built into CI/CD (continuous integration/continuous delivery) pipelines, running XDR (extended detection and response) programs to spot and resolve threats before they can make an impact, running continuous risk-based patching and vulnerability management. 
Meanwhile, other research shows that cyberattacks on supply chains are increasing. They increased by 51% during the period July to December 2021, according to a report from the NCC group research released in April. 
The study surveyed 1,400 cybersecurity decision makers and found that 36% believed that they are more responsible for preventing, detecting, and resolving supply chain attacks than their suppliers. 
The NCC research found that only one in three businesses surveyed were confident they can respond quickly and effectively to a supply chain attack. Of the organizations surveyed, 34% said they were being very resilient in case of such an attack.  
Apurva Venkat is principal correspondent for the India editions of CIO, CSO, and Computerworld.
Copyright © 2022 IDG Communications, Inc.
Copyright © 2022 IDG Communications, Inc.

source

About Author