Third-party intrusions, such as those recently at Twilio and Mailchimp, serve yet another reminder how quickly and far supply-chain attacks can spread.
When an attack on one organization becomes a window for potential attacks on many, threat actors take notice and circle back for more. Unauthorized access is often gained through phishing and social engineering attacks.
Third-party vendor attacks are growing because of this amplification effect. The level of access or data open to potential exposure throughout the supply chain presents threat actors with a means to hit more targets with more consistency and success.
“Threat actors will use any available path to get into a company,” said Curtis Franklin, senior analyst at Omdia. “The great lesson should be there are no innocuous connections, there are no intrinsically safe partnerships.”
A phishing attack against Twilio impacted 125 customers, subsequently exposing the phone numbers and verification codes for 1,900 Signal users. When social engineering attacks compromised Mailchimp’s internal tooling, it identified 214 affected accounts, including DigitalOcean.
Third-party tools and services provide cybercriminals with an attack surface that can open extensive pathways. If the front or side doors of a large enterprise or other intended target are better defended, there might be a weak point in vents.
"You know how in old movies you always smuggle things in and out of the prison in a laundry cart and a white van with no windows? That's the equivalent of what we are seeing here,” Chester Wisniewski, principal research scientist at Sophos, said in an email.
Finding those points of compromise often triggers opportunities for attacks downstream. Some supply-chain attacks are highly targeted against a specific organization while others are random, leading attackers to potential secondary targets after a link in the supply chain is compromised.
The highly-targeted approach
“Threat actors are patient and they are persistent,” Franklin said. “The moment they know more about your relationships and your automated processes that you do, you’re in serious danger.”
As seen in the recent digital identity supply chain attacks against Mailchimp and Twilio, threat actors can extend the potential target radius even further by focusing on email marketing providers or other commonly used services with large customer bases.
“In many cases the supply chain map is a way for attackers to hit their primary target by using third-party gaps to outflank the target and avoid frontal assaults that have proven futile,” Ron Westfall, senior analyst and research director at Futurum Research, said in an email.
Social-engineering attacks, including incidents at Twilio and Mailchimp, confirm the increasing levels of sophistication needed to execute downstream supply-chain breaches, he said.
These identity security and data access compromises exemplify how well some threat actors have mapped out third-party supply chains and why organizations need to better map out their third-party security risks, Westfall said.
Many companies are struggling to better protect their supply chains from third-party risk, let alone map out and assess every potential point of intrusion.
Managed service providers are another attractive target for potential dispersion, according to Tyler McLellan, senior principal threat analyst at Mandiant. “They may offer access directly into a victim, hold third-party data, or offer an opportunity to infect software in the supply chain providing indirect access to an organization’s clients,” he said in an email.
Maximum reward for minimum effort
Seemingly aimless attacks on third-party systems that snowball to others can be just as damaging for organizations and lucrative for threat actors.
Some of this spread comes down to luck and human behavior.
“Threat actors are people and people like to find shortcuts to maximize their reward for the minimum amount of effort,” McLellan said. “Targeting one organization that may provide access to data from other organizations offers a couple benefits. Besides the obvious potential access to multiple victims, there may be two parties to ransom with the same data.”
Some attacks on third-party vendors spread quickly because the campaigns don’t require much work.
“It’s not like they’re actively working,” said Alla Valente, senior analyst at Forrester. “They can kind of passively throw it out there and see who bites. And if you have multiple that bite, that’s even better.”
Many of these threat actors are getting lucky, she said, and perhaps even more so than they expected.