Supply chain attacks have been a new focus for cybercriminals.
Most organizations do not build their own infrastructure. They purchase servers and components from third parties, and then they install it into their systems. It does not occur to many administrators installing systems that a supply chain involved in building equipment could introduce malware and vulnerabilities allowing attackers to access data. Supply chain attacks are on the rise in many state-sponsored attacks that give threat actors silent and undetected access to data internally.
The Supply Chain and IT
Manufacturing IT components in China is common since it cuts costs and improves revenue. These components are built into components such as motherboards and routers. The manufacturer is given a plan, which should be used to build to specifications. Technology builders then use these components to build their systems locally, and then ship them to customers. Any malicious components inserted into hardware design are left unchecked and unnoticed.
In addition, very few organizations perform any penetration tests on new equipment installed into their infrastructure. Most administrators assume a new system is safe from vulnerabilities provided it’s configured correctly and any software updated. They don’t realize that components built into systems could have been exposed to several third parties prior to arriving at their location. This leaves an opening for attackers to include backdoors into hardware that allows silent attackers to access data.
Backdoors and IT Equipment
With new equipment installed, malicious components might “phone home” and tell attackers that the backdoor is available for entry. Since components are built in the thousands for specific IT companies, an attacker can run scans on public IP addresses to find potential targets. An identifiable backdoor signal provides attackers with a list of compromised systems.
Any equipment with malicious components could allow attackers to eavesdrop on data, scan the network, exfiltrate data to a third-party server, steal passwords, or install additional malware on other equipment. In sophisticated attacks, the malicious equipment could give a state-sponsored threat actor remote control of the local system.
Routers and servers are the two prime targets for supply chain attacks. Routers and switches are the traffic controls of the internet. They are also located within the business internally, so the data routed through these components could be anything from intellectual property, company secrets, sensitive data, and anything else that passes on the network. The data could be a treasure trove for state sponsored corporate espionage.
Servers offer an alternative advantage for attackers. Servers also route data, but they also store it permanently. The data stored on servers could be in a database, files, or configurations. With malicious components installed on a server motherboard, the attacker could take control of it and install additional malware on the network. Very few cybersecurity defenses detect malicious components, so an attacker could go undetected for years in a sophisticated attack.
Supply chain attacks on IT equipment and the software that runs it is increasingly more popular. Very few systems in place offer protections from malicious components. They focus on software installed on the system after it’s installed, but anti-malware is not written to detect malicious components already integrated with the system. These components can avoid detection by integrating with the operating system and running on the kernel layer.
Protecting from Supply Chain Attacks
Anything installed into your system should be suspect until it’s validated and tested. Most administrators run tests on new equipment to ensure that it does not have any bugs or defects, and to ensure that it runs without issues. The security of the system should also be a priority along with these tests.
Penetration testing should be performed to ensure that nothing suspicious happens while the system runs. An engineer can read motherboard layouts to ensure that no additional components are installed, but this review takes a professional who can read system designs. Corporations using equipment from third parties can help reduce risk by knowing their supply chain and understanding where hardware is manufactured and built.
A penetration test can also be done on the system. This can be done to identify any strange traffic patterns and activity executing on the local system. Backdoors might send data back to the attacker to let them know the system is ready for exploit. Running a system in a safe environment with network analyzers and server monitors can help identify any of these attacks.
As more supply chains are compromised, it’s important for organizations to fully test their equipment before installing it. Infrastructure should not be considered safe until fully tested and reviewed.
Protect supply chains from cyberattacks with TitanHQ. Talk to a security expert today about our DNS Filtering Solution, WebTitan. Contact Us.