Request a Consultation
We use cookies to enhance your experience of our website, save your preferences and provide us with information on how you use our website. For more information please read our Privacy Policy. By using our website without changing your browser settings you consent to our use of cookies.
Aug. 17, 2022 Risky Business: How to Map and Minimize Third-Party Cyber-Security Risks
7 minutes read
Risky Business: How to Map and Minimize Third-Party Cyber-Security Risks

Last month’s backdoor security vulnerability found in Zyxel firewall and VPN devices has once again highlighted the security risks posed by third parties. Organizations can minimize third-party risks by using multiple layers of security technology, risks assessments and requiring their suppliers to meet minimum security requirements.

Tens of thousands of organizations had an unwelcome cyber surprise last month, days before Christmas, in a security breach that once more highlights the risks posed through third-party suppliers.

A Dutch cybersecurity researcher found a serious security vulnerability in networking devices made by Zyxel, whose firewalls and virtual private networks (VPNs) are widely used by small and medium-sized businesses.

On January 2, 2021  ZDNet reported that more than 100,000 Zyxel firewalls, VPN gateways, and access point controllers contained a hardcoded admin-level backdoor account that can give attackers root access to devices via either the SSH or the web administration panel. The technology news web site said that the“backdoor” security breach is considered as “bad as it gets” in terms of security vulnerabilities.

It is common practice to integrate a wide variety of manufacturer software and hardware in the corporate network to create, keep running, or secure IT processes and assets. Hardware, software, or even third-party software libraries are present from the physical to the application layer through the entire OSI network stack. It starts with the laptop and network devices, goes over office applications like Word or Excel to their own website or self-developed applications. All parts of the IT infrastructure are either externally developed or relies on external technologies.

Third party risks.

Some of the most common security risks posed by organizations relying on third-party suppliers for their IT include the third-party getting hacked and security vulnerabilities in suppliers’ products.

  • Third-party gets hacked: The number of cyber attacks on supply chains is growing – affecting not just the initial target of the attack but also that organization’s customers. A vendor can either suffer a data breach, or the vendor's products can be accessed via a backdoor to the network as happened in last month’s cyber attack on US software maker SolarWinds. The damage caused in these scenarios depends on two factors: the expertise and targets of the attacker and the resilience of the vendor’s IT security. 
  • Vulnerabilities within products: Hackers find and will continuously find various vulnerabilities within products. The impact of these vulnerabilities not only depends on the vulnerability type and product itself but also on the vendor's service agreement. A vulnerability within an application used on a SaaS agreement may have different risks than the same application hosted within the company's network.

Depending on where the application is being hosted and how it is integrated into the company's network, the risk is changing:

  • Externally maintained: The vulnerability might affect the company's data and systems connected via APIs or any other service. However, from a network perspective, any code execution that might arise will most likely only affect the vendors' network. 
  • Internally maintained: The vulnerability affects the data and the network of the company using the product. Thus, an attacker might use these systems to also pivot into the company's network. 

Even though it sounds like externally maintained might be the lower risk (from a breach perspective), always consider a company has less power to secure the data stored at a third-party than it has for data stored internally.

Security lessons from the Zyxel breach

The recent Zyxel security breach shows how internally maintained products with security vulnerabilities can be exploited by hackers.

To automatically distribute firmware updates across appliances with FTP, Zyxel used a hardcoded user having administrative access within firewalls and AP controllers. The implemented user “zyfwp” could also be used to log in via the web interface (HTTPS) and the SSH interface – a technology standard used by network administrators to securely log in to networks and network devices.

Zyxel did not document the user in any manual. And that meant that administrators could not monitor the use of that specific user or restrict access to the user manually. Therefore, an attacker that might have known about the user before it was disclosed to the public could have administrative access to the systems unknowingly.

An attacker's abuse of administrative rights can blast a hole through an organization’s cyber defenses, given that the firewall, VPN gateway, or Access Points are the entry points to a company's internal network.

Once within an organization’s network, an attacker could create new firewall rules, such as “port-forwarding”, creating additional VPN accounts or backdoor the firmware itself.

How to mitigate third-party risks

Organizations can bolster their defenses against third-party cyber security risks by robust risks assessments, using multiple layers of security technologies and maintaining a detailed and up-to-date inventory of all IT systems:

  • Risk Assessments: Do regular risk assessments for your cyber security. The risk assessment should cover both the process as well as the technical side. Include your IT products, internal and externally maintained, into your security risk assessments and penetration tests as well. Risk assessments should be done, when introducing a new product and afterwards on a regular basis depending on the outcome of an internal business impact analysis.  
  • CVE-2020-29583: Performing a basic binary analysis of the firmware updates with the “strings” command, the default username and password would have been disclosed. 
  • Defense in depth: Companies should always be prepared for the worst case that vulnerabilities are within the products they use. This badly requires defense in depth to cover unknown weaknesses. Whenever a security control fails, or a vulnerability within a product arises, there should be an additional security layer like network segmentation or privileged access management to keep the impact at a minimum. It requires a proper integration process of each third-party product, including a threat modeling process to identify potential attack vectors. After all threats have been identified, additional security measures can be implemented.
  • CVE-2020-29583: Monitoring the change of firewall rules, user accounts change, and firmware change would have triggered an alarm, once someone is trying to take further actions with the hardcoded account. Additionally, collecting and monitoring logs of user logons on the device itself (SSH and HTTPS), would have given insights into the usage of the account. Next to monitoring a Privileged Access Management solution might have mitigated the issue as well.
  • Take an Inventory: Every company should implement an asset inventory for third-party products that they are using. Maintaining such an inventory allows a quick response and update if a vulnerability is disclosed or a patch is released.
  • Contractual Requirements: The contract negotiated between a company and the vendor of a product should cover minimum-security standard requirements. This should be covered in agreements made between the company and its IT providers, and any other supplier interacting with the company's IT systems or data.

Conclusion

Technology, contractors, and supply chains provided by third parties can help businesses grow and innovate. However, they can also be the weak link in an organization’s information security.

Customers of Zyxel which have been affected by its recent security vulnerability should already have updated their systems to the latest version which does not have the security vulnerability highlighted last month. Other businesses would be well advised to use the security incident as a reason to start the New Year with a review of their own IT security measures for their third-party products and business relations.

About the Authors

Jonas Becker, Security Engineer, Ryan McKamie, CEO & co-founder and Maxwell Zhou, Senior Security Engineer, contributed to this publication.

About Certus Cybersecurity Solutions LLC

Certus Cybersecurity is a provider of industry-leading information security services. With a focus on application security, IoT security, cloud security, and payment security, Certus Cybersecurity currently serves Fortune 100 enterprises and innovative, high-growth businesses worldwide. To learn how we help clients protect their businesses, please visit us.

References:

  • https://www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html 
  • https://www.bleepingcomputer.com/news/security/secret-backdoor-discovered-in-zyxel-firewalls-and-ap-controllers/ 
  • https://www.zdnet.com/article/backdoor-account-discovered-in-more-than-100000-zyxel-firewalls-vpn-gateways/ 
  • https://www.zyxel.com/support/CVE-2020-29583.shtml 
  • https://www.bleepingcomputer.com/news/security/the-solarwinds-cyberattack-the-hack-the-victims-and-what-we-know/

Contact Us
Ready to get started? Book a free consultation today, and we’ll write you back within 24 hours. For further inquiries, please submit the form at right. By submitting completed “Book a Free Consultation” form, your personal data will be processed by Certus Cybersecurity. Please read our Privacy Notice for more information.