Light Dark
February 13, 2023 By Jennifer Gregory 4 min read
Risk Management

Attacks on service providers are mounting — and so are downstream victims.

Earlier this year, some customers of the cloud service provider DigitalOcean received emails instructing them to reset their passwords. These users hadn’t actually forgotten their passwords — their email addresses had been compromised in a data breach. But the cybersecurity incident didn’t start at DigitalOcean. Instead, the attack started from a MailChimp account.

Like many companies, DigitalOcean relies on a third-party email platform for email confirmations, password reset notifications and alerts sent to customers. According to DigitalOcean, an attacker compromised MailChimp’s Internal Tooling and gained unauthorized access to DigitalOcean’s Mailchimp account. This allowed the cyber criminal to add an authorized email address to the account and then steal email customer addresses. Accounts with multi-factor authentication (MFA) enabled were not breached. DigitalOcean could not communicate with its customers for several days due to the breach, during which many people became concerned about their data privacy.

While the attack originated at a third-party organization, the victims of the attack reached beyond Mailchimp. Mailchimp suffered business disruption and customer loss as DigitalOcean changed providers. But DigitalOcean also saw downtime without customer contact, as well as potentially losing their own customers’ trust.

The MailChimp breach is one example of a growing and concerning trend. In many cases, the damages of a breach have a primary victim and secondary victims. In this instance, while MailChimp was the original target, DigitalOcean customers were secondary victims. By targeting major vendors, cyber criminals expand their potential for harm through the trickle-down effect of their attacks. But businesses can still take steps to avoid becoming a downstream victim.

Why downstream attacks are increasing

As cybersecurity technology and practices get more sophisticated, cyber criminals must look for new ways to inflict the most damage. With a downstream attack, organizations often can’t quickly pinpoint the cause of the breach. Sometimes the breach goes detected for days or even months. In other cases, a downstream victim may realize there is an issue but can’t isolate its source.

Additionally, downstream attacks make it possible for cyber criminals to increase the damage and disruption they inflict with a single event. By targeting vendors working with companies that have large customer bases, cyber criminals have access to a much larger pool of customer data. As more companies use Software-as-a-Service (SaaS), vendors are an increasingly attractive target for cyber criminals because of the large opportunity for secondary victims.

In one phishing attack, cyber criminals gained access to the customer engagement platform Twilio through its customer support console. Once the cyber criminals accessed the platform, they had access to Twilio’s customer base, including Signal, a secure messaging platform with an estimated 40 million monthly users. The attack affected 1,900 Signal users, breaching their phone numbers or revealing their SMS verification codes. Most concerning, the hackers bypassed Twilio’s MFA functionality to gain access.

The increase in downstream attacks means organizations must be concerned with more than their own cybersecurity. Businesses now inherit the risk of every single company they’re interconnected with. For example, an organization using a cloud service provider, a CRM and an email marketing platform is only as protected as each vendor. With more companies using SaaS and digital tools, the risk is only increasing.

Steps to avoid becoming a downstream victim

Here are ways to reduce your organization’s risk of becoming a victim of a downstream attack:

  • Conduct a security audit as part of vendor onboarding. Your organization is only as secure as your most insecure vendor. Whenever you do business with another company, you assume their risk. Even more importantly, you pass that risk on to your own customers.
  • Get contact information for security concerns. Ask potential vendors about their security protocols and their process for notifying their customers after a breach. One of the challenges DigitalOcean faced after the MailChimp breach was the inability to get in touch with MailChimp for information when it received the notice that its account was disabled due to security issues. Many organizations have a dedicated support line or channel for immediate resolution of cybersecurity issues.
  • Consider a zero trust framework. By using a zero trust approach, your organization assumes that all apps, devices and users requesting access are unauthorized until proven otherwise. Combined with micro-segmentation, which allows access to the smallest possible portion of the network, you can also reduce the damage caused by a breach.
  • Use MFA on corporate accounts whenever it’s available. Make sure all the vendors your organization uses offer MFA and require employees to use MFA on all the vendor logins they use as part of their job. As demonstrated by the DigitalOcean attack, MFA can prevent some breaches. While the Twilio attack showed that breaching MFA is possible, using MFA can still significantly reduce the risk for organizations.
  • Create a plan for vendor disruption. If one of your vendors is a victim of a cybersecurity attack, they will likely be offline and unable to serve their customers. By creating a backup plan for vendors, you can limit the impact on your organization.

Navigating interconnected risk

The increase in SaaS and PaaS means companies are more interconnected than ever before. With service providers enabling access to their customers, cyber criminals can now affect more people with a single attack. By understanding the risk each new vendor adds to your organization, you can proactively reduce any exposure and feel more secure that you’re fulfilling one of your biggest obligations — protecting your customer’s privacy and data.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: U.S. hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

 |  |  |  |  |  |  |  |  |  | 
Jennifer Gregory
Cybersecurity Writer

More from Risk Management
July 25, 2024

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

July 24, 2024

Crisis communication: What NOT to do

4 min read - Read the 1st blog in this series, Cybersecurity crisis communication: What to doWhen an organization experiences a cyberattack, tensions are high, customers are concerned and the business is typically not operating at full capacity. Every move you make at this point makes a difference to your company’s future, and even a seemingly small mistake can cause permanent reputational damage.Because of the stress and many moving parts that are involved, businesses often fall short when it comes to communication in a crisis.…

July 10, 2024

Digital solidarity vs. digital sovereignty: Which side are you on?

4 min read - The landscape of international cyber policy continues to evolve rapidly, reflecting the dynamic nature of technology and global geopolitics. Central to this evolution are two competing concepts: digital solidarity and digital sovereignty.The U.S. Department of State, through its newly released International Cyberspace and Digital Policy Strategy, has articulated a clear preference for digital solidarity, positioning it as a counterpoint to the protectionist approach of digital sovereignty.What are the main differences between these two concepts, and why does it matter? Let’s…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature