The Three Most Common Ways Bad Actors Target Your Digital Supply Chain
Written by: Black Kite
Syncing up with business partners is easier than ever in today’s digital supply chains. Digitization opens up new possibilities for productivity, but it also opens up new opportunities for threat actors to compromise organizations. Those compromises happen in one of the most coveted and discrete entryways for bad actors in today’s landscape: third parties.
Today’s attackers go for the weakest link. That makes supply chains – or rather, the weakest vendors in them – prime, juicy targets for any bad actors hungry for data. And guess what. It’s not just their data that’s compromised. It’s your data, too, because your vendors have access to it.
According to the 2022 Verizon Data Breach Investigations Report, 62% of system intrusion patterns involved threat actors compromising partners. Meanwhile, Black Kite’s research teams estimate that the average organization works with anywhere from 20 to 50 vendors. With a growing number of third parties to keep track of, it can be tough to know where to start when taking the temp check on their defense programs.
That’s where this guide comes in. While it’s true that the threat landscape is constantly evolving, there are a few surprisingly straightforward strategies that bad actors often use to compromise and create risk for digital supply chains. Here’s a breakdown of the top three methods bad actors use, how they use them, and what it could cost, so you – and your partners – can stay on the lookout.
Exploitation of Software and Critical Vulnerabilities
Exploiting software vulnerabilities is the number one method threat actors use to execute attacks and breaches. What exactly are software vulnerabilities? They’re weaknesses in third-party programs (like Microsoft Office or QuickBooks) you or your vendors use.
Here’s the thing about software vulnerabilities: They’re relatively common. According to The Stack, NIST’s National Vulnerability Database reported a record number of 26,448 Critical Vulnerability Exploits (or CVEs) in 2022. That’s roughly 20 new CVEs per minute. Even if your organization’s security teams are top-notch talent, there’s no guarantee your vendors have the same expertise.
CVEs IRL
Critical vulnerabilities don’t discriminate. They can affect software and tool providers of all levels, types, and sizes. Take what happened to WordPress for instance. In 2023, Bleeping Computer reported that a plugin flaw within the CMS compromised nearly 75,000 WordPress sites. This plugin was used on over 100,000 active sites, meaning that threat actors could easily exploit the vulnerability and compromise any organization using it.
That means if any organization using that WordPress plugin had their data exposed to threat actors. Even though they weren’t directly hacked, WordPress’ vulnerability left thousands upon thousands of organizations vulnerable because they used the CMS.
But not all vulnerabilities are made equal. There’s one type of vulnerability bad actors covet above all: Zero days. These are vulnerabilities that are not yet detected (and therefore, not yet patched) by vendors.
That’s the major danger with zero-day attacks. Because they’re flying under the radar, bad actors can wreak havoc on a growing web of companies for days, weeks, and even months undetected. Once a vendor notices and releases a patch, future attacks can be mitigated – but the damage is often already done.
What It Could Cost You
Exploited vulnerabilities can cause serious financial damage to your organization in the long run. Regardless of whether your organization is responsible for a breach, you may still be subject to hefty fines. That’s exactly what happened to British Airways when a compromised third-party payment platform incurred a 128M pound fine. Even though the UK-based carrier’s cyberdefense systems weren’t to blame, it still exposed customer data through the third-party payment platform, making it technically liable.
Leaked Credentials
The second most popular method of attack for bad actors is finding and manipulating leaked credentials. Bad actors still use the classic password hack to breach servers and systems. Today’s password-hacking strategies include:
- Brute Force: When bad actors use brute force, they simply guess usernames and passwords until they crack the right credentials. It’s like running a slot machine repeatedly until you hit the jackpot – except they’re looking for credentials, not a row of sevens.
- Credential Stuffing: When attackers use credential stuffing, they collect already compromised usernames and passwords. Then, they create automated processes that inject this list of credentials into web applications on a large scale. Eventually, they’ll find the right username, password, and application match and gain access to an organization’s environment.
Credential stuffing is swiftly becoming a bad actor’s method of choice. It’s more efficient than using brute force and carries the potential of breaking into multiple servers, apps, and resources at once – after all, many organizations (and people, in general) use the same username and password combination in multiple places.
That’s what happened in late 2022 when a malicious hacker collected leaked PayPal credentials from various parts of the web. By using credential stuffing, they were able to compromise nearly 35,000 PayPal accounts in one fell swoop and get their eyes (and hands) on a huge payload of data. That included names, phone numbers, birth dates, addresses, tax ID numbers, and SSNs.
So what does that have to do with digital supply chains? Well, if any organizations were connected to or partnered with PayPal, their data would’ve been just as vulnerable.
Plus, credentials don’t have to be limited to the traditional username and password. In today’s digital landscape, they can also include API secrets – or the “passwords” to APIs – a rising target for threat actors across the globe. According to a 2022 report cited in Security Week, 53% of organizations have already experienced an API breach. What’s the major cause of these breaches? Usually, leaked credentials.
What It Could Cost You
Practicing good password security sounds pretty table stakes. But credentials remain a prime target for threat actors, and leaked credentials of any kind can incur a hefty cost. API security platform Imperva reported that the annual cost of API breaches alone can reach up to $23 billion in the U.S. With an over 50% chance of incurring that price tag, organizations cannot push their luck by neglecting digital supply chain risk.
Vulnerable Critical Ports
Ports are another prime target for bad actors looking to breach systems. These are where operating systems connect to networks and other services – basically how servers go live and “online.” According to Bleeping Computer, most digital supply chain attacks target the following ports:
- SSH: Secure Shell, which connects a local host to a remote host and allows computers to communicate and share data.
- HTTP: Hypertext Transfer Protocol, which holds a set of rules for transferring files over the internet.
- HTTPS: Hypertext Transfer Protocol Secure, a more secure version of HTTP.
When bad actors successfully breach a port, they have direct access to an organization’s network. That opens up the likely possibility that they’ll break into other systems and servers.
When are ports most vulnerable? When they’re insufficiently protected, misconfigured, or left unpatched when vulnerabilities are discovered. While many organizations follow patching best practices, some issues are literally impossible to patch. That’s because the services they’re using might be so old that there won’t even be a patch developed for them.
Take CISCO’s 2021 HTTP vulnerability, for instance. The tech giant revealed early in 2023 that it “has not and will not release software updates” for four of its business routers with known HTTP vulnerabilities.
What does that mean for organizations hoping to keep their digital supply chains secure? They have to be sure that their resources are still supported and that those of their vendors are as well.
What It Could Cost You
An open or vulnerable port is like leaving your door wide open for bad actors to come through. Bad actors often use port vulnerabilities to carry out Deliberate Denial of Service (or DDoS) attacks, which disrupt traffic to servers and networks by flooding the target with information. These attacks on vulnerable ports can pack a mighty punch, with Indusface reporting that Bandwidth Inc. lost over $12 million in 2021 to a DDoS attack.
Double Down on Digital Supply Chain Defense
Bad actors are no dummies. If your cybersecurity program is in tip-top shape, chances are that they’ll see that and move on to other, more vulnerable targets. However, those vulnerable targets might be vendors and partners directly attached to your network.
No matter how strong your defense is, your organization is only as protected as its weakest link. If that weak link happens to be one of your vendors or partners, that can spell bad news. Digital supply chain security is not just about your company – it’s about you and all the other companies attached to it.
An organization must leverage continuous monitoring, or 24/7 “health checks,” on all the networks it touches – not just its own. That way, it can rise above the chaos of today’s threat landscape.
While continuously monitoring the major players in your partner network is essential, don’t forget to keep an eye on the little guy. Here’s why the smaller partners in your third-party risk ecosystem need a closer look, too.