Third-party attacks increase as attackers target software connections

Third-party intrusions, such as those recently Twilio and MailChimpagain serve as a reminder of how quickly and how far supply chain attacks can spread.

When an attack on one organization becomes a window for potential attacks on many, threat actors notice and come back for more. Unauthorized access is often obtained through phishing attacks and social engineering.

Attacks from third-party vendors are increasing due to this amplification effect. The level of access or open data to potential exposure throughout the supply chain gives threat actors a way to hit more targets with more consistency and success.

“Threat actors will use any available path to enter a business,” said Curtis Franklin, principal analyst at Omdia. “The big lesson should be that there are no harmless connections, there are no inherently safe partnerships.”

A phishing attack against Twilio affected 125 customers, subsequently exposing phone numbers and verification codes for 1,900 Signal users. When social engineering attacks compromised Mailchimp’s internal tools, it identified 214 accounts concernedincluding DigitalOcean.

Third-party tools and services provide cybercriminals with an attack surface that can open up vast avenues. If the front or side doors of a large business or other intended target are better defended, there may be a weak spot in the vents.

“You know how in old movies you always smuggle things in and out of the prison in a laundry cart and a white van with no windows? That’s the equivalent of what we see here,” Chester Wisniewski, principal researcher at Sophos, said in an email.

Finding these compromise points often triggers opportunities for downstream attacks. Some supply chain attacks are highly targeted against a specific organization while others are random, leading attackers to potential secondary targets after a link in the supply chain is compromised.

The highly targeted approach

“Threat actors are patient and they are persistent,” Franklin said. “As soon as they know more about your relationships and your automated processes than you do, you are in grave danger.”

As seen in the recent digital identity supply chain attacks against Mailchimp and Twilio, threat actors can extend the potential target radius even further by focusing on email marketing providers or other commonly used services with large customer bases.

“In many cases, the supply chain map is a way for attackers to reach their primary target by using third-party gaps to outflank the target and avoid frontal assaults that have proven futile,” said Ron Westfall, principal analyst and director of research at Futurum Research, said in an email.

Social engineering attacks, including incidents at Twilio and Mailchimp, confirm the increasing levels of sophistication needed to execute downstream supply chain breaches, he said.

These identity and data access security compromises illustrate how well some threat actors have mapped third-party supply chains and why organizations need to better map their third-party security risks, Westfall said..

Many companies are working to better protect their supply chains from third-party risk, not to mention map and assess every potential point of intrusion.

Managed service providers are another attractive target for potential dispersion, according to Tyler McLellan, senior principal threat analyst at Mandiant. “They can offer direct access to a victim, hold third-party data, or offer the ability to infect software in the supply chain that provides indirect access to an organization’s customers,” he said in an email.

Maximum reward for minimum effort

Seemingly aimless attacks on third-party systems that snowball others can be just as damaging to organizations and lucrative to threat actors.

Some of this spread is due to luck and human behavior.

“Threat actors are people, and people like to find shortcuts to maximize their reward for the minimum of effort,” McLellan said. “Targeting an organization that can provide access to other organizations’ data offers a few advantages. Besides the obvious potential access to multiple victims, there can be two parties to ransom with the same data.

Some attacks against third-party vendors spread quickly because campaigns don’t require a lot of work.

“It’s not like they’re actively working,” said Alla Valente, senior analyst at Forrester. “They can kind of passively throw it over there and see who bites. And if you have more than one, even better.

Many of these threat actors are lucky, she said, and maybe even more so than they expected.