EXECUTIVE SUMMARY:

In the age of IoT, where more and more things are interconnected, it becomes increasingly apparent that one weak link in the supply chain can be all hackers need to unleash a global cyberattack, as we learned from NotPetya. Business operations lock up, assets can be seized. And when it comes to supply chain attacks in the world of finance–whether traditional or crypto–millions of dollars can vanish in the blink of an eye.

Earlier this month, ZDNet reported that crypto hackers targeted StatCounter one of the web’s most popular analytics services. Like Google Analytics, StatCounter requires a code to be embedded in websites in order to track the flow of traffic. Using that code as its delivery method, hackers infected nearly 700,000 sites with bitcoin stealing malware—which mainly affected a subset of users of the online exchange desk Gate.io.

While websites that embedded StatCounter’s analytics code into their sites could have potentially infected all users, the malicious code didn’t activate unless “myaccount/withdraw/BTC” appeared in the URL string. When researchers investigated to find a match between a website and that link, Gate.io popped up.

Once activated, the malicious code replaced the Bitcoin address entered by the user with an address controlled by the attacker.

As ZDNet notes, “The StatCounter incident is just the latest incident in a long list of recent supply-chain attacks via third-party JavaScript code loaded on legitimate sites. In the past year, miscreants have hacked several online services to deliver in-browser cryptocurrency-mining scripts or card-skimming code to unsuspecting users.

The non-crypto world of finance is not immune as Barclays, the British financial institution, illustrates. City A.M. reports that the bank is hit with substantial cyberattacks every day, according to a former Europol official.

In September, The Wall Street Journal reported that a spike in attempted banking cyberattacks had prompted federal officials to issue warnings.

And this past summer, Fiserv–a company that serves the banking industry–was found to have a flaw within its web platform that leaked customer data.

Consider the various elements that tie to a financial institution and it’s not hard to imagine the kind of supply-chain destruction that could ensue.

“Financial institutions are attractive targets to hackers because of their wealth of sensitive consumer information. Moreover, a successful attack on a financial institution has the potential to cause market turmoil,” writes The Wall Street Journal.

As more workloads move to the cloud and more business is conducted as a service, the need to secure each link in the supply chain becomes greater. From perimeter to cloud, the security of all networks and partnerships needs to be tightly orchestrated.

 

 

 

RELATED ARTICLESMORE FROM AUTHOR