The aggregate risk potential of a SPOF

SolarWinds and Kaseya have shown that supply chain attacks are now firmly in the sights of cybercriminals, warns CyberCube’s Darren Thomson.

As the high profile SolarWinds and Kaseya hacks have demonstrated, malicious actors are increasingly seeking to exploit single points of failure (SPOFs) in order to hit an entire ecosystem. A SPOF, a flaw in the design, configuration or implementation of a system, can bring down entire systems and operations if they are compromised.

“SolarWinds and other attacks have proven there are vulnerabilities that exist in software that represent single points of failure, and in some cases those vulnerabilities can be leveraged in order to attack a supply chain and distribute an attack through a software update, for example,” says Darren Thomson, head of cyber security and strategy at CyberCube.

It is a new and scary distribution model, particularly for organisations which rely on managed services providers (MSPs). For Thomson, July’s Kaseya attack in particular “sends shivers down [his] spine”.

In the case of the Independence Day weekend attack against Kaseya VSA, the REvil ransomware exploited a vulnerability in its software to target multiple MSPs and the companies they serve.

“What makes this one really interesting is the vendor’s internal networks were not breached,” says Thomson. “There were no breach to the Kaseya networks. Instead, vulnerabilities were discovered in the software and taken advantage of in around 50 managed service providers, which in turn were each serving hundreds of SMEs.”

“They attacked managed service networks but did not deploy ransomware at the MSPs. That would bring the MSP down, and they didn’t want that. What they wanted to do was use the MSP to spread the contagion to their customers.”

“So we almost have a supply chain attack within a supply chain, or a double-embedded supply chain attack where we see a software-supply chain breached within a service supply chain.”

Ransom demands were tailored to the size and ability to pay of each individual company, reflecting the sophistication of the attack. In total, around 1,500 firms were hit, with hackers also offering a “universal decryptor” to recover all victims’ files via a one-off payment of $70m.

Scaling it up

The potential for single points of failure to be found and exploited within cloud services is not as remote a threat as many cyber and information security risk managers might think.

With the shift towards hybrid working, continued acceleration of digitisation and adoption of cloud infrastructure, there is potential for severe risk accumulation. 

“If one of the big cloud providers goes down, all of the platform-as-a-service and software-as-a-service providers then follow suit, because their infrastructures have gone away,” says Thomson. “So there’s this domino effect and accumulation right down to the businesses that rely on multiple cloud applications.”

“Not all cloud providers are as robust as the really big ones,” he adds. “If we have single points of failure in a clients’ architecture and they disappear, then what does it mean for the businesses that rely on it?”

From a cyber security and defence perspective, one of the biggest issues is that organisations are not sharing enough information on attacks and near misses.

The underreporting of incidents is meanwhile benefiting cybercriminals, who themselves are constantly honing their craft, and increasing the risk of contagion.

“If the cyber defence industry were half as good at communicating with one another as criminals are we’d be in a different place,” says Thomson. “But it’s really hard to get a bunch of competing business leaders to talk to each other.”

“At CyberCube, when we’re analysing an attack, we’re always trying to be forward thinking. Not just what does this mean right now but what it could mean in the future.” 

“The criminals are learning all of the time from both their failures and successes. They are jumping on the coattails of successful attacks and we will do well, on the other side of the game, to learn some lessons from that, to share more and develop some common practice.”