SBN

ROUNDTABLE: Targeting the supply-chain: SolarWinds, then Mimecast and now UScellular

It’s only February, and 2021 already is rapidly shaping up to be the year of supply-chain hacks.

Related: The quickening of cyber warfare

The latest twist: mobile network operator UScellular on Jan. 21 disclosed how cybercriminals broke into its Customer Relationship Management (CRM) platform as a gateway to compromise the cell phones of an undisclosed number of the telecom giant’s customers.

This bad news from UScellular follows similarly troubling disclosures from networking software supplier SolarWinds and from email security vendor Mimecast.


The SolarWinds hack came to light in mid-December and has since become a red hot topic in the global cybersecurity community.

Video: What all companies need to know about the SolarWinds hack

Meanwhile, Mimecast followed its Jan. 12 disclosure of a digital certificate compromise with a Jan. 26 posting confirming that the compromise was at the hands of the same nation-state threat group behind the SolarWinds hack and subsequent attacks on various technology companies and federal government agencies.

And now UScellular admits that it detected its network breach on Jan. 6, some two days after the attackers gained unauthorized access. The intruders got in by tricking UScellular retail store employees into downloading malicious software on store computers.

The attackers thus gained remote access to the CRM systems running on the store computers – and a foothold to access customers’ wireless phone numbers and associated account information.

These are three high-profile hacks, disclosed within days of each other, has signaled the cybersecurity community that established digital services suppliers are getting targeted, not necessarily as the end game, but as the weak link in an inter-connected supply chain.

There are many reasons to expect supply chain hacks to intensify in the weeks and months ahead. We in a phase where these hacks are sure to escalate, as threat actors move to take full advantage before the corporate sector eventually shore things up.

Last Watchdog gathered observations from a round table of cybersecurity thought leaders. Here’s what concerns them in the weeks and months just ahead:

Saryu Nayyar, CEO,  Gurucul 

Attacks like this are unfortunately frequent and even well-intentioned, well-trained, users can fall victim to a clever attack.  Once the attacker is in, they can find data on other employees or customers that they can leverage into further attacks.  Eventually they reach whatever goal they’re after unless the chain’s broken before reaching its conclusion.

Nayyar

USCellular apparently discovered this reasonably quickly and took appropriate measures before filing the breach notification.  Quick response and warning their customers is good, but the whole incident is a reminder that we can all be vulnerable and need to stay vigilant against clever attackers.

We may think we know how to recognize a social engineering attack or phishing email, but with the amount of information available to attackers through open platforms and stolen information, they may know far more about us than we realize.  That will let them craft very sophisticated attacks, which can be hard to identify and resist.”

Andy Oehler, VP of Product Management, Zentry Security 

Oehler

The challenge of providing enterprise-class security to a distributed workforce is daunting and there are no silver bullets. However, this type of breach underscores the need for an integrated approach to corporate security. For instance, the combination of Zero Trust Network Access solutions, which provide enhanced security between users, their computers and corporate applications, combined with capabilities offered through traditional Data Loss Prevention solutions, would minimize the chance of large-scale data exfiltration and safeguard a customer’s PII.

Chloé Messdaghi, VP of Strategy,Point3 Security:

As this breach shows us, it’s possible for someone to gain access to an individual’s 2FA, so it’s important to use a verification app, such as Google Authenticator. Verification apps are usually free, and they’re great to have because they give you a little bit more safety and extra precaution. Having long passwords and a password manager can also add additional layers of security and protect you as a customer.

Messdaghi

In this case of USCellular, rather than asking for ransom from the company, the criminals got access to the database and then can go after the individuals with attempts to phish for bank and credit card information. And since the majority of the population doesn’t know what phishing is, or how it works, this is still a highly successful attack scheme.

One thing individuals should always keep an eye on is to make sure they aren’t using two-factor  via SMS text messaging. I always recommend, if there’s an option with multi factor authentication, to NOT go by SMS. Always look for an alternative option for verification other than SMS to help avoid getting phished and someone gaining access to your 2FA codes.

Bill Santos, President and COO, Cerberus Sentinel

Santos

While technology is an important element of a cyber defense plan, this situation again highlights the equal importance of culture and security awareness within an organization.  The end-user remains the “weakest link” within an organization; proper training, assessment, and reinforcement are an essential part of any security and compliance strategy.

Brad Mackenzie, CEO, Clear Skies 

MacKenzie

Organizations should design access controls for all users using the Principle of Least Privilege. This helps to ensure exposure is reduced as much as possible if a breach occurs.  Operationally this requires employees to have the minimum amount of access to network resources, applications, and databases essential for their role in an organization.  Alerting and counter-measures like Data Loss Protection (DLP) should trigger on anomalous behavior like scraping large amounts of data from a database.

Garret F. Grajek, CEO, YouAttest

Grajek

The Solarwinds attack was enlightening and novel. It showed the magnitude of effort hackers will go to exfiltrate assets from the target.  They compromised an existing tool to penetrate and reside in the enterprise system. But once in, the mechanism follow the usual patterns of attack chain, including obtaining privileges to accounts that allowed that to stay resident and communicating with their remote servers. Our systems need to be able to monitor accounts, their privileges and their usage – to detect anomalous privileges and activities of these accounts.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.


*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/my-take-targeting-the-supply-chain-solarwinds-hacked-then-mimecast-and-now-us-cellular/