It looks like using third-party supplier connectivity to breach customers is very much back in the picture with the announcement that the technique is being actively used to attack a number of organisations, specifically those which themselves also have access to lots of third-party data, and more interestingly providers of eGift cards and schemes, i.e. anything that can quickly be turned into cash.
What will almost certainly turn out to be the thin end of this wedge came to light earlier this week, when security researchers working for customers of the enormous Indian outsourcer Wipro contacted the esteemed, may his name not be used in vain, Brian Krebs, to say that Wipro was dealing with a multi-month intrusion in which its servers had been identified as jumping off points for (it would seem phishing) attacks.
Now this will almost certainly be ringing very loud bells amongst all of you security pros out there that will recall the PwC and BAE systems report back in 2017 which fingered an outfit called APT10, widely acknowledged to be state sponsored actors, in this case Chinese.
Having requested information from Wipro and receiving the usual stonewalling (your lips are moving, but I am not listening to you, etc.) and oblique answers, Mr Krebs took it upon himself to research further and has exposed a whole load of Indicators Of Compromise, one of which is the use of infamous Russian hosting outfit King Servers. Krebs also points out that other service providers are also under attack by this outfit, no surprise there.
Now this doesn’t mean that the Russians are directly involved. Countries that need to convert stolen data/materiel to cash quickly tend to be those who have currency exchange issues and large bills to pay, for instance for nuclear or rocket parts, but time will tell. The whole thing does make very interesting reading though and may well get you out of the inevitable family Easter walk.
Those of us who have used these big outsourcers will know that it is sometimes very difficult to get them to do a proper job of patching and other governance on systems they are paid to maintain. One can only wonder what order their own houses are in?
Another week, another series of Facebook blunders, which now must be approaching the sinister/incompetence peak when something will have to be done about it.
Following from last week’s revelation that hundreds of millions of Facebook users’ passwords were kept in plaintext (but not abused, oh no), Instagram has just announced similar revealing that millions of its users’ passwords had also been stored in the buff, but you guessed it ‘its investigation revealed that the stored passwords were never “abused or improperly accessed” by any of its employees’. Blow us down with a feather.
As if that weren’t bad enough, the mighty Zuckbook admitted this week that it had ‘unintentionally uploaded email contacts from up to 1.5 million new users on its servers, without their consent or knowledge, since May 2016’.
With these continued and persistent howlers and the platform being used seemingly without sanction or control as a tool to influence democracy, push may well come to shove sooner rather than later.
If you haven’t yet done so, we recommend you have a look at Carol Cadwalladr’s Ted speech on the subject of social media’s threat to democracy reported here, with the actual recording here. Good luck to her with the Pulitzer Prize.
Unless you have been hiding in a cupboard for the last 12 months, you will no doubt be aware that ITC is taking the subject of third-party risk very seriously. Not only that but we have the skills and technology to identify Indicators Of Compromise in your estates and help you deal with anything nasty that turns up.
Our team would be more than happy to assist you, contact us at: [email protected] or call 020 7517 3900.
Have a very enjoyable Easter break. We hope that the only hopping you experience is that of the Easter Bunny delivering chocolate.