The Security Ledger

Cisco warns of Internet of Things, Supply Chain Risk

Cisco Systems warned that companies need to do a better job monitoring IoT devices and third party software providers, as Internet of Things based botnets and supply chain attacks become more common.

Cisco Systems said that malicious actors and cyber adversaries are increasingly using insecure devices that are part of the Internet of Things to carry out online attacks and to cover their tracks while doing so.

In its annual cybersecurity report, released on Wednesday, Cisco warned that botnets based on Internet of Things devices are expanding and becoming automated. The connected devices also pose a threat to corporate security teams, which often fail to account for their presence on networks or actively manage the devices.

Supply chain attacks like the one used to spread the NotPetya malware could become more widespread in 2018, Cisco warned.

 

 

 

Supply chain attacks on the rise

The report cited the spread of destructive malware like WannaCry and NotPetya to warn that malicious software was quickly evolving and increasingly destructive. Noting the spread of NotPetya through malicious software updates for the Ukrainian finance software M.E. Docs and CCleaner, Cisco said that software supply chain attacks posed an increasing risk, as sophisticated attackers exploit lax security at third party software providers to gain a foothold on the networks of their customers.

“Supply chain attacks appear to be increasing in velocity and complexity. They can impact computers on a massive scale, and can persist for months or even years,” Cisco warned.

In a 12-month period from October 2016 to September 2017, Cisco researchers identified 40 vulnerabilities in third-party software libraries used by non-Cisco products, underscoring the “need to delve deeper into third-party solutions that provide the framework for many enterprise networks,” Cisco said. “Defenders should assume that third-party software libraries can be targets for attackers; it’s not enough to simply make sure the latest version of the software is running, or that no open CVEs (common vulnerabilities) have been reported.”

Still, identifying the attacks or likely targets is not easy, Frank Artes, a Security Architect at Cisco told Security Ledger. The company advises customers to be choosy about the software vendors they use: looking for vendors who emphasize security, publish notices of software vulnerabilities in their products and issue patches for those holes. Asking vendors to provide proof that they use a secure development lifecycle is another way to sort out security conscious vendors from those who lack secure software development acumen.

Cloud services abused

Cloud based services including Amazon Web Services, Google Docs, Twitter, GitHub and more were implicated in malicious command and control networks in 2017, Cisco said, predicting that attackers will preference these platforms in the future, as they are commonly used within organizations and can be overlooked.

[You might also be interested in “Researchers Warn of Physics-Based Attacks on Sensors]

Similarly, Cisco advised companies to be on the lookout for “leak paths” between sensitive, operational environments and business networks or even the public Internet. These can include connections back to cloud-based systems that can expose sensitive networks to remote attacks. Incidents in the last year, including the compromise of industrial control safety systems at facilities in the Middle East by the TRISIS malware underscore that risk.

Basic tasks left undone

While threats continue to evolve, companies continue to be hampered by well known and oft cited failings, said Artes. At the top of the list: software patching. Attacks in 2017 targeted known vulnerabilities in the Apache Struts platform as well as remotely exploitable holes in Windows systems. The failure of companies to address those holes led to compromises and contributed to the spread of malware such as WannaCry and NotPetya, Cisco noted.

“Malicious actors continue to target the inability of organizations to patch known vulnerabilities,” Artes said.