Adversaries are using an increasingly common and effective type of attack to target enterprises: Third-party compromises.
The attack vector bypasses a company’s usual security stack (firewall, proxy, email, etc.) and preys upon implicit trust between parties. Exploiting trust zones between companies and suppliers or supporting entities occurs more frequently than many realize, with multiple instances uncovered by the security community.
Organizations involved in energy, oil and gas, manufacturing, and logistics are especially at risk because of the variety of security zones and trust relationships.
Adversaries possess multiple options for attacking an organization via third-party compromise: Network pivoting, spear phishing, weaponized installs and certificate/credential theft. Malicious actors can leverage one or more of these techniques against a wide range of verticals.
Network pivoting and a weaponized update featured prominently in the compromise of M.E.Doc in Ukraine. Adversaries successfully weaponized a version of M.E.Doc accounting software with what would become known as NotPetya malware. NotPetya deployed some of the same exploits made infamous by the earlier WannaCry event, while combining this activity with credential capture via Mimikatz and remote process execution through PSExec. Reports detailing Mimikatz exploitation in the ICS environment are available to our WorldView customers.
The malware scanned IP ranges and spread to adjacent subnets, including connections to non-targeted third parties and business partners. As a result, entities far removed from Ukraine (the initial target of the attack) were severely impacted. The attack hit FedEx and Maersk particularly hard by this incident—it cost the Tennessee-based shipping giant $300 million and crippled Maersk, despite not being a direct target of the attack.
Spear phishing via compromised third parties presents an especially effective and dangerous infiltration tactic. An adversary will first compromise a trusted third party, like an ICS integrator, vendor, or contractor, then spear phish from a legitimate account within the third party to their target organization.
An adversary will use a compromised account’s email history to send phishing emails to individuals the account has interacted with in the past for increased effectiveness. This type of attack takes advantage of existing, implicit trust—a targeted user will be more likely to let their guard down because of a previous working relationship. Such trust extends beyond merely reading the message to include prompting the targeted user to open attachments or visiting web links they would otherwise ignore from unfamiliar entities.
Malicious backdoors implanted on NetSarang and Avast’s CCleaner provide additional examples of IT vendor compromise as a vector toward further intrusions based on trust relationships. Both attacks were highly-targeted and relied on compromising the software suppliers (as softer targets) to enable follow-on targeting. Examples of lucrative targets for these campaigns include: Samsung, Cisco and Microsoft. The adversaries successfully avoided multiple layers of defense by weaponizing versions of otherwise legitimate software released by the vendor to create an initial foothold in the target network.
Certificate and credential theft represents the final mechanism for subverting trust to achieve compromise. These techniques can be used in direct attacks against an organization, but enable a unique, multi-staged compromise method when leveraged via third-party compromise.
Credential theft is growing in popularity, with multiple mechanisms available to retrieve logon information. Adversaries can compromise contractor credentials, for instance via team collaboration tools, to provide an authenticated mechanism to access the ultimate target free of typical IT controls for “internal” network accounts. Certificate theft poses unique risks, especially considering code signing certificates. Code signing certificates authenticate software as the product of a trustworthy vendor. Compromising a software signing certificate enables an adversary to cryptographically sign their malware, frequently bypassing anti-virus because the code appears to be legitimate. Code signing via stolen certificates has been used to great effect by threat actors in past intrusions.
Threats to industrial asset owners and operators
While these example attacks are IT-network focused, the same risks apply to ICS asset owners with potentially far more serious impacts.
Direct connections into protected areas (power plants, plant floors, management subnets) should be limited and monitored for suspicious activity. ICS asset owners and defenders can also create a DMZ for an extra layer of security and require all third parties to connect through it, with enhanced monitoring and analysis of traffic enabled therein, to enforce security controls and improve visibility.
Supply chain threats and third-party compromise are one of the most difficult problems for industrial defenders. Network defenders must know and understand third-party connections and dependencies for their organization: Where do outside parties connect to and what privileges are granted?
Employee awareness training is also invaluable—internal stakeholders should learn to not blindly trust emails from trusted partners but to be as vigilant as possible: Make the attacker’s job as difficult as possible by thoroughly vetting third parties and their security standards. Prioritize communication and disclosure. Require vendors to report any confirmed compromise and provide a damage assessment.