Common SMB mistakes: The supply-chain attack

September 28, 2018

Bill doesn’t like morning calls. It’s not that he’s lazy; he just thinks that work should begin once one’s emotional balance has been restored after the mayhem of the morning commute — and certainly not before the second cup of coffee. But the phone’s been ringing non-stop.

“Give me a break! Don’t people know it’s rude to hang up after three rings! No respect! What if I’m busy with something important?” grumbles Bill, trying to dig out his phone from under a pile on his desk as it rings again.

“Bill, my flash drive isn’t loading,” the layout designer whines over the phone.

“That’s because I disabled all the ports on your machine ages ago! You know all files have to be loaded through a secure computer — talk to Albert. If I had my way, I’d cut you off from the Internet!” he responds, adding silently to himself, “and I’d rip your arms off as well.”

“I know, I know! But it’s not just me — it won’t load on anyone’s computer! Please help, it’s a really important task. We have to change the layout quick or they’ll kill me. Albert won’t be back till after lunch.”

“Dwight, we agreed that all tasks go through Albert, all documents go through his computer. It’s the only one in the department with antivirus. Anyway, who suddenly gave you files on a flash drive?”

“Christine did. She asked me to make some urgent corrections to the layout of the leaflet. It needs to be printed ASAP. She’ll kill me if it’s not done pronto, she doesn’t care if Al’s not around. You know what she’s like.”

“Your flash drives will be the death of me. Fine, I’ll be right there.”

Bill hangs up and looks thoughtfully at the ceiling. Yeah, their boss is a dragon, all right — and she couldn’t care less about conventions like the procedure for transferring files from external sources. The sysadmin stands up, stretches, puts his laptop under his arm, and heads toward the design area.

"Case study: Agency supply chain attack"

The owners of the Magenta Elk advertising agency consider themselves pretty sharp. From its beginnings as a family design studio, ME has grown into a company with almost 100 employees. Now it has a whole department of designers, a creative director able to hit the spot with even the most delusional client, a Web development department, and even its own small printing house (also a former small business, acquired three years ago). Among its clients are several major international companies that trust the agency to handle their advertising campaigns.

But the owners never found the resources for a halfway-decent IT department. Bill manages all equipment; he repaired computers as an on-call handyman before being hired a few years ago. He never managed to persuade the owners to take on at least one more member of staff to help out.

“Give me your flash drive!” growls Bill, opening his laptop as he approaches. “What can’t you read here? Everything’s working on my machine. Drivers are installing…scan, you bet…open…here’s the project folder.”

At this point, the antivirus displays a red window: “Malicious object Trojan.downloader.thirdeye.n was detected.” Bill gapes at the screen.

“Dwight, what the hell is this?! Did you try to open this anywhere else?” Bill jabs a finger at the file Layout_corrections.docx.exe.

“Well, how else would I know what changes to make? I tried, but it wouldn’t open at all. I clicked and nothing happened.”

“Can’t you see it’s not even a document?! The extension is EXE!”

“I can’t see any extensions! I can see the icon and the name. Why are you shouting at me? All I did was try to open Christine’s file!”

“Makes sense, I guess. The extensions of known files aren’t shown,” muses Bill. “All right, let’s stay calm: Which machines did you try to read it on?”

“Well, on Anna Miller’s, in accounting. On the photographer’s laptop. And there was Lena from logistics. And Tom from Web dev. And Kate…what’s wrong, is it a virus? It’s not my fault! Maybe the photographer had an infection!”

“This isn’t just any virus — it’s a Trojan tailor-made for you! It doesn’t just infect random machines; someone put it on this flash drive specifically!” Bill logs in to the Web interface of the router to isolate the computers mentioned. “By the way, where did you get Christine’s password? She left yesterday for a business trip.”

“It’s on a piece of paper under her keyboard — everyone knows that…” mumbles the layout designer, still on the defensive. “I didn’t take it home or anything, I only found it yesterday!”

“What do you mean, ‘found’?” says a startled Bill.

“Well, I mean she left it for me at reception with a note saying to fix the layout ASAP.”

“Are you out of your mind? Christine was here almost all day yesterday. Why the hell would she need to leave a flash drive with instructions on a sticky note? Does she leave you notes a lot? You know she prefers to talk face-to-face. And she’d just upload the files to the server! Oh crap, the server!” Bill starts tapping the keyboard again. “Anyone can leave anything at reception. What time did it happen, exactly?”

“Well, I don’t know. It was evening and I was about to leave, then Yvonne said that someone had left me an envelope with a flash drive. She was on her way out for a bite, but she didn’t see who it was. I came back, tried it on Anna’s laptop and on Christine’s, then — well, you know the rest.”

“Dwight, you understand that someone — ” the tirade is interrupted by a mobile call. It’s the CEO. “I’ve got a bad feeling about this….”

“What’s up? Why aren’t you at your desk?” inquires the short-tempered CEO.

“Sorry, the designers have a problem. Someone left a USB flash drive — ”

“Forget the designers,” interrupts the CEO. “I just got a call from Österberg & Jones. Their website has been seeding viruses since last night. We’re the only other people who had access to the site — for updating banners. I need proof it wasn’t us. Assuming it wasn’t us.”

“Umm. Who was it who had access?” asks Bill, growing cold.

“Don’t know, exactly. A couple of Web dev guys; they did the site. Maybe Dwight. Christine for sure — it’s her client, and you know she loves having control over everything.”

“Mmmm…here’s the thing…” Viktor’s voice suddenly drops. “Actually, I think it was us.”

“Well, we’re screwed. They’re threatening lawsuits. If it’s us, then we have a lot of explaining to do. I need a detailed analysis by end of day. If you need outside experts for the investigation, let me know right now. I need a full, honest report in hand when I go crawling to Österberg & Jones. Now give me a quick rundown. What the hell happened?”

“Looks like someone deliberately hit us with an infected flash drive. Österberg & Jones was probably the real target. You know how security is. I do what I can, but we’re a little short on equipment, people, materials…. Even the antivirus isn’t — ”

“OK, OK, I get it. That’s your polite way of saying I’m an idiot. You’ll get your staff, and antivirus for everyone. If we survive this. Which I very much doubt.”

Lessons

  • The company’s procedure for working with files from external sources is perfectly good and proper. But it is not followed, because some employees believe that a task is more important than security. In reality, security should have a higher priority than even direct orders from management.
  • Too many people can access partner resources, a problem made worse by the fact that no one knows exactly who has access. Ideally, this information should be known by one employee, maximum two. Moreover, access credentials should be required for every login. Saving them in the browser is an extremely bad idea, as is accessing the site from an unprotected computer.
  • Passwords written on paper and stuck under the keyboard may sound ludicrous, but it’s actually quite common at many companies. This is totally unacceptable — even if no one ever comes to your office, sometimes team members can cause just as much damage.
  • A reliable security solution must be installed on all machines, without exception.