Supply Chain Attacks are becoming more common in the wild, and basic steps can be taken to mitigate the risks and secure your business, and its assets. Supply Chain Risks can come in different forms: it could be software produced for a consumer product which has been compromised, or it could be the suppliers themselves that have experienced some form of Cyber Security Incident, resulting in system downtime and reduction of available services for their customers, or data breaches.
Supply Chain Risks are not easily mitigated by yourself, as the fault will more than likely lie further down the Supply Chain, rather than being a risk you potentially pose. However, securing your accounts, devices, and business data, truly bolsters you to be protected from an array of lateral attacks, such as Credential Stuffing.
In recent news, there has been the discovery of an API Vulnerability, which is affecting at least 16 major car brands. The cybersecurity researcher, Sam Curry, found a surprising number of vulnerabilities surrounding Electric/Hybrid Vehicles and their respective Mobile Applications. He found that the manufacturers’ API endpoints were all operating with extremely similar functionality, meaning, if a vulnerability was found within one API, there is a good chance the same vulnerability would be found in another.
Some car companies with tested and working vulnerabilities include: Ford, Ferrari, BMW, Honda, Mercedes-Benz, Land Rover and Porsche. Not all companies share the same vulnerabilities, such as, BMW experienced SSO vulnerabilities, leading to attacker access into internal dealer portals, where an attacker could obtain sales documents containing sensitive information.
Whereas Mercedes-Benz experienced a similar vulnerability with SSO, though the lateral movement an attacker could make was potentially much more damaging, as the attacker could access GitHub instances for internal Mercedes-Benz operations and applications, cloud deployment services for managing cloud storage, and the potential for Remote Code Execution across their environment.
Another API vulnerability affecting some car companies was resulting in full remote access to the vehicle, granting the attacker the ability to remote lock, start and stop the engine, honk the horn, flash the headlights, and obtain GPS data to precisely locate the vehicle.
The above is an example of a third-party software supplier failing to uphold a high level of application security testing, resulting in Supply Chain Security Incidents, and the potential for detrimental attack vectors to be pursued by a threat actor. The National Cyber Security Centre (NSCS) in the UK released guidance on Supply Chain attacks, around the same time malicious groups were targeting European company’s third-party suppliers, particularly pertaining to the Energy Sector.
They recommended reviewing the Supply Chain process regularly, for the security of your customer’s data, and the security of your own internal systems. There are several internal steps companies can take to attempt to mitigate Supply Chain Security Incidents potentially having a knock-on effect to the company’s environment.
As mentioned above, one of the security vulnerabilities was a poorly configured SSO environment, which allowed the threat actor to gain Account level access, with the ability to view and edit sensitive information, which can be viewed as a basic oversight, resulting in a detrimental outcome.
Companies can seek to become compliant and aligned with current Cyber Security recommendations and guidelines by pursuing the Cyber Essentials certification. Cyber Essentials provides a strong baseline for companies to begin to build and bolster their internal security practices, as well as seeking to protect all company and customer data across corporate devices.
At Texaport, we understand the importance of these advancements, and we work with our clients to put a reliable system in place to improve their business efficiency. Our team has a wide range of IT knowledge and remains acquainted with the movements in the IT industry. Find out more here.