third-party risk

Canada Post Large Business Data Breach and Supply Chain Attacks

Update 2021-05-31

Linking to the official announcement by Canada Post.

Update 2021-05-28

The new player in town, Lorenz, has taken credit for the attack. It also appears that Commport Communications did not pay the ransom, estimated to be between $500,000 to $700,000 for the Lorenz group according to estimates provided by BleepingComputer. Like other newer groups, Lorenz, has a public website available via the Tor network to pressure victims into paying. The data, totaling a compressed 35.3 GB, for Commport Communications is now openly available for download via that website, which suggests that Commport refused to pay the ransom.

Interesting to note is the date on the upload. Commport previously released an attack back in November of 2020, but did not believe any data to be compromised at that time. Apparently, they were wrong.

Commport Communications data available from the Lorenz public repository.

The Attack

Canada Post has announced a data breach of shipping manifest data associated with 44 of its large business users. The impact is recorded at more than 950,000 records relating customers of those businesses. Shipping manifests contain sender and recipient information that usually includes both names and addresses, and less often email addresses, and phone numbers.

According to CTV News, the data comprised of 97% names and addresses, while the final 3% of records contained an email address and/or a phone number. The attack occurred on May 19th, according to Commport Communications Inc., however, the data compromised was from between July 2016 and March 2019.

Apparently, Commport Communications Inc., notified Innovapost, Canada Post’s IT Service Provider, in November 2020, of a ransomware attack on the organization, but a review at that time determined that no customer data was leaked from Canada Post at that time. I’d be interested in seeing the lessons-learned from that attack, as well as the steps taken to prevent this time of incident from happening again.

At this time the May 19th event hasn’t been attributed to a specific attack vector and may not be related to the November, 2020 ransomware attack, at all.

Supply Chain Attacks

This very well could have been a crime opportunity as we don’t know if any other data was stolen from the Commport Communications environment. Other than Canada Post, they have reference to working with companies such as Walmart, Pepsi, Coca-Cola, P&G, Lowe’s and even Amazon on their website. Regardless of the original intent, this is what is known as a supply chain attack. A supply chain attack is an attack that targets a less-secure element of an organization’s ecosystem. This could be anything from a HVAC provider to a software vendor, or, yes, even an IT provider.

The 2020 Solarwinds attack was a series of supply chain attacks that led to, suspected, Russian-sponsored state actors, believed to be either SVR or Cozy Bear (APT29) gaining access to a number U.S. Government systems including parts of the NSA and the Cybersecurity and Infrastructure Security Agency. Not to mention a number of private and public businesses and governments that we’ll never know about.

Supply chain attacks are the real deal and they work because as business owners we often make the mistake of trusting the security and the systems of the third-parties that we do business with, and sometimes have elevated access within your businesses systems. They’re also complex when done with an intended target, and are therefore oftentimes the mark of an APT (Advanced Persistent Threat).

The National Cyber Threat Assessment 2020 by the Canadian Centre for Cyber Security lists supply chain attacks as one of seven threats to Canadian financial and economic health.

Supply Chain Attack Risk Reduction

The issue here, of course, is that if we wish to build our businesses we must rely on third-parties to provide things such as manufacturing, operations, financial services and support.  Information and Cybersecurity isn’t about making it difficult for the business to operate, it’s about creating opportunities!

A third-party risk program can be as complex or as simple as you need, but is really all about governance around your vendors and suppliers. Develop processes and procedures for every transaction between your organization and your third-parties, and ensure that staff are appropriate trained in executing and managing them.

Creating a vendor risk assessment, or by using one of the many available online, you can easily create a risk inventory of your vendors and suppliers that can give your business self-assurance that your suppliers and vendors are employing the necessary security controls. Some questions that you may find on such a form might be, “Does the 3rd party provide information security training to all employees, contractors, and vendors?”, and “Does the 3rd party employee firewalls at all points of network egress?”.

This isn’t a one-time process, unfortunately, and should be reviewed and updated annually for maximum benefit. Both, the ISO-27001 and the CyberSecure Canada Certification require reviews on an annual basis so getting into the habit, and documenting that you’re doing it, can be very beneficial in the long-term.

For further reading, the Canadian Centre for Cyber Security provides an excellent two-page PDF on Supply Chain Security.

How Hackers Use Free Software To Spread Malware

Bad Microsoft Store Downloads

In a world where the Covid-19 virus is dominating and forcing businesses to shudder or employees to work from home, technology companies are stepping up in a big way to offer many of their services and products at reduced or no cost. This has made the forced transition to a primarily remote work force easier in so many regards, but it also adds an element of risk that some companies aren’t necessarily thinking about these days and I can’t blame them.

To understand the risk that software plays, it’s important to understand the multitude of ways that a bad actor can take advantage of companies offering free software to spread malware and possibly steal your data. When we talk about this type of risk we’re often talking about third-party risk. It’s third-party because you often don’t have the same control over the software as something that you might have developed in house.

Understanding the Software Supply-Chain

If you look at any piece of enterprise software in 2020 it will almost certainly be built with a number of frameworks like .NET, Node JS, and Ruby on Rails. These frameworks can save thousands of hours of development time by providing libraries of predefined code. In using these frameworks, you are likely NOT reviewing the code yourself, but are relying on the developers of these libraries to ensure that vulnerabilities don’t exist in their code.

A physical example of a supply-chain attack was the Target breach. A bad actor was able to take advantage of a flaw in the software of Target’s HVAC vendor. The vendor software that was running on the Target network had a vulnerability that allowed the bad actor to enter the network. Once inside the network they only need to find a way to move laterally to more important computers with more important information on them.

Free Software Makes Supply-Chain Attacks Easier

I love free software as much as the next guy, just make sure that you’re getting it from an appropriate source. A quick search on the very own Microsoft Store brought up a number of free software that was being peddled for cash (seen in the picture above). These are NOT official releases of this software, but they are certainly easier to access for any Windows user then the official. Here are the actual and safe links, for your information.

https://www.qbittorrent.org/
http://www.darkaudacity.com/
https://www.smplayer.info/
https://pwsafe.org/

There is simply no guarantee that the above publisher didn’t modify the software in some way that could track you, or steal data. In so many cases these publishers use Adware to make a quick buck.

Protecting Yourself

  • Track any third-party code or relationships to ensure that security releases are applied when appropriate. This might be as simple as an Excel spreadsheet or as complex as an entire third-party risk management department.
  • Always download software from official sources. A quick Google search of the software will often bring up the appropriate website as the first result.
  • Eliminate the human factor by providing employees with security awareness training on a regular basis.