Supply chain security is becoming a regular discussion due to some major issues that have occurred this year. We have talked many times about vetting business associates. When people talk about supply chain security it isn’t just the business associate you contract with you have to worry about. It is all the vendors that they use. Today we are going to review 3 supply chain stories that explain how complex your supply chain unbeknownst to you.
3 Supply Chain Security Stories
All businesses use vendors for something to run their business. Those services include vendors for software, hardware, networking, administrative assistance, financials, and much more. The small businesses and the large enterprises all need these tools to make their wheels turn. Those vendors are also small businesses to large enterprises. In today’s connected world we are very intertwined in ways we often don’t understand.
Let’s review these three stories for a glimpse into how complex these relationships can be and how much risk they can add to your business. Also, all of those folks who think phishing tests aren’t worth it should note that all of these stories either definitely are almost certainly involve someone with major tech skills falling for a phishing attempt. I would find it hard to argue that you should invest in phishing tests for security training even if you don’t do much else.
Microsoft Outlook.com Tech Support Breach
Microsoft admits Outlook.com hackers were able to access emails. The security breach was worse for some than others. Yes, that is the headline. You read it correctly. Apparently, a Microsoft tech support agent fell for a phishing scam that allowed hackers to capture the reps credentials. They had access to the email systems that the agent had access to support including Outlook.com, Hotmail.com, and MSN.com accounts. This access went on from Jan 1, 2019 until March 28. Not long, right? No one is worried about things like W2s or other tax statements during that time, right?
In the initial breach notifications from Microsoft to the users they determine were affected by the incident, they said there was an account issue that allowed access to some of the data in the email account by someone outside of Microsoft. There are all kinds of conflicting information coming out about it from a wide variety of sources, however. Some say Microsoft knows that some accounts were completely accessible even though the notification says the hackers could only see the subject and other header information.
Fortunately, this tech who fell for phishing had access only to the consumer email servers. At first, that provides a sigh of relief to many of us. However, how many times do we see small companies using these “free” email services for business email use. The owner has had that Hotmail account since they first got an email address and doesn’t want to let go of it. I can’t begin to count how many conversations we have had trying to get someone to use a business email account to conduct business.
Who thinks that tech support agents will fall for phishing? We should all think it is not only possible but likely. If your email address is out there connecting you with this kind of job you are a target, plain and simple. If you think it is ok to use those consumer accounts for business you should pay attention here. At least for the corporate accounts, this time, they were not involved. Using Microsoft should not be a supply chain security issue in many people’s minds. That is just wrong. Plain wrong.
Verint Systems Inc. Ransomware Attack
Verint is “a global provider of Actionable Intelligence® solutions”. On April 16th, they were hit with a ransomware attack. According to their recent PR statement they “quickly identified and remediated the attack, and fully restored Verint’s IT services in less than 24 hours without any impact to customers or partners.”
This story points out that no one is immune when it comes to issues with supply chain security. You must assume you will be hit and you should expect the same from your vendors. All of those folks that say we are too small, you can bet that a cybersecurity firm also thinks they are so secure it won’t happen to them. Well, we can tell by their apparent quick response to the problem they are prepared. That means they do not assume they won’t get hit. They are paranoid about it like we are here.
I am always reminding our team, and sometimes they remind me, that we could be a bigger target just because of what we do. Just like healthcare is a valuable target, companies that take care of healthcare businesses are also a target. Just like everything else in business it is as much about who you are connected to as it is what skills you have on your resume.
I shared this story because it did happen and it did get addressed quickly with as much transparency as you would expect from a company that provides “Actionable Intelligence solutions”. That is a good thing because the last story is so far off base from this one we needed to soften the blow.
Wipro Hack Stories Keep Coming
This one is really tricky. Plus, it goes much further than either of the other two combined. This case hits on so many issues it is a bit overwhelming when you start to think how big it could become.
This is the kind of case that makes me worry about all the overconfidence we see with tech people. They never think it will happen to them. Yes, it isn’t just the owners of small companies who think it won’t happen. It is the tech teams of large companies and even worse, the more techie the company often the more overconfident.
This one news came in a report by Krebs on Security. Wipro is an Indian IT outsourcing and consulting company that is huge. We are talking about claims of 170,000 employees across 6 continents with clients in healthcare, banking, communications and more with over $8 billion in revenue claims in 2018.
The story in Krebs came out on April 15. Here is how it started:
Both sources, who spoke on condition of anonymity, said Wipro’s systems were seen being used as jumping-off points for digital fishing expeditions targeting at least a dozen Wipro customer systems.
The security experts said Wipro’s customers traced malicious and suspicious network reconnaissance activity back to partner systems that were communicating directly with Wipro’s network.
I have been following it as much as possible but there are lots of twists and turns. It is important to share a few important parts of the story we know so far.
First, according to the Krebs article, WiPro basically blew them off when they called to ask about the tips. They kept putting them off and Krebs kept getting more sources telling him what was happening. He heard through his sources that things were clearly amiss even if WiPro basically continued to ignore his questions:
The other source said Wipro is now in the process of building out a new private email network because the intruders were thought to have compromised Wipro’s corporate email system for some time. The source also said Wipro is now telling concerned clients about specific “indicators of compromise,” telltale clues about tactics, tools, and procedures used by the bad guys that might signify an attempted or successful intrusion.
What the what!! They are trying to keep something like this a secret? That is just great, especially when you read further that they are in multiple disputes and lawsuits concerning WiPro’s work. Including an abruptly canceled contact last year with the State of Nebraska’s Medicaid enrollment project. Keeping these secrets only makes it more likely that others are hit because you are covering it up.
They did eventually fess up and report they had a problem and a security firm had been brought in to investigate. WiPro has claimed that the attack was “an “advanced phishing campaign” against “a few” of its employees.” Updated articles by Krebs shared more details that make that sound like an understatement. Some might even call it an attempt to minimize a major issue. Krebs articles included this one statement which is particularly important to us here:
There you go, it is time to bring this thing back home now. ScreenConnect is a tool that many IT companies use to support their clients. In fact, it is one we talked about recently where the very same vendor supposedly opened up MSPs for potential hacks against their clients. ConnectWise is a huge name in the managed services business. Now we see articles like THE WIPRO BREACH & HOW TO STAY PROTECTED WHEN YOUR MANAGED SERVICES PROVIDER (MSP) GETS HACKED. ConnectWise came out with a statement about their security from the CEO: Connectwise CEO Defends Security Stance In Wake Of Wipro Breach.
When you read about this case in Forbes then it is clear more folks need to understand what all of this means. The bottom line is you can’t just assume that when Chinese or North Korean hackers hit an Indian tech company you are not at risk. It could be any company impacted anywhere in the world.
The bottom line still returns to “you don’t have to be faster than the bear, just faster than the other guy running from the bear”. Never assume that you don’t need to use every security safeguard and double check it regularly. Especially if you are a vendor. Your client base impacts a large number of businesses when you are successful. You can bet the reputation of WiPro has taken a huge hit that they won’t fully realize for a year or more to come.