Exploit Tools and Targets: Enhance Third-Party Risk Management to Mitigate Multi-Targeted Approach
Third-party attacks, or supply chain attacks, occur when a trusted software, vendor, or other external company property or personnel is the victim of a cyber-attack that may directly impact the partnered organization (1). One of the most recent and notorious third-party attacks was the SolarWinds compromise, which allowed access to commercial and government data through network security software. The malicious activity, which was initially discovered by FireEye, breached SolarWinds’ security several months before discovery (1). After that, the Log4j vulnerability allowed several compromises through the Apache vendor's direct connection to enterprises (1); many other notable third-party breaches affected various sectors without any clear target industry, but rather opportunistic strategies (2).
Threat actors are using multi-targeted approaches by utilizing banks, point of sale systems, or other institutions, with no clear patterns between targeted industry, to infect Microsoft 365 and other key applications. This approach requires analysts to enhance their third-party risk management by creating a new crisis management plan that incorporates information security professional consulting resources that can perform a non-bias assessment of an organization's supply chain network connections and recommendations. Consumers need to know who the immediate vendor-side contact is in case of a security incident involving essential software used by the organization. The vendor should know if an organization is impacted by a breach from their side, as well as notifications from the other way around, but may not immediately let the company know unless direct contact is made. Identifying the network design and where APIs (application programming interfaces) or segmentation can take place between vendors and critical company assets would significantly decrease overall risk.
New and Noteworthy: The Post-Quantum Encryption Proof of Concepts Leave Room for More Progress in Cryptography
Proof of concepts for cyber-attacks using post-quantum computing algorithms is showing success after the Computer Security and Industrial Cryptography group (CSIS) was able to decipher in one hour the algorithm SIKE (Supersingular Isogeny Key Encapsulation), used by the National Institute of Standards and Technology as their post-quantum encryption algorithm (3). The hack was performed on a “classical computer” using the mathematical algorithms of a 1977 “glue-and-spit" theorem (3). Microsoft is actively rewarding “bug bounties” at a rate of about 50,000 USD per hack for those that can break through their quantum world encryptions (5). So far, the CSIS group has been the most publicly successful and shared the code and details of the hack on their Intel Xeon CPU E5-2630v2, 2.60 GHz processor (5). For more information on the exact algorithms used and technical deep dive, please read the SIKE authors' scholarly article “TOWARDS QUANTUM-RESISTANT CRYPTOSYSTEMS FROM SUPERSINGULAR ELLIPTIC CURVE ISOGENIES” by Luca De Feo, David Jao, and Jerome Plut (6).
The existence of quantum computing may be up for debate, but the concepts behind quantum encryption are a broadly discussed and tested topic amongst the cyber groups. The suggested post-quantum algorithms are showing progress through peer testing and research. So far there is insufficient research to assume an immediate need for corporations to switch to the new NIST standard algorithms as they have not passed through the security measures needed to verify higher confidence of protection than what is currently the standard. The facts are that the US Federal Bureau of Investigation (FBI) reported 847,376 cyber incidents in 2021 that totaled 7 billion USD in losses (4). The key goals in preparing security teams for the quantum world are to normalize securing infrastructure by removing legacy systems or networks within corporations and to prepare for incident response by consistently updating all network maps to stop an attack once encryption algorithms fail.
About EclecticIQ Threat Research
EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.
Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack.
TAXII v1 Discovery services: https://cti.eclecticiq.com/taxii/discovery
Please refer to our support page for guidance on how to access the feeds.