The MediSecure breach thrusts the security spotlight back on service providers

In Australia, it seems a large data breach is never far away. The latest one of concern is MediSecure, one of two prescription delivery services that operated nationally until late 2023.

A breach of a health sector provider is always going to be worrying, given the propensity of the operator to be working with sensitive data. But the breach of MediSecure has proven problematic for more than one reason.

A key one is that half of the Australian population are in it. To what extent may never be known, as the data was considered too unstructured to map to individual patients. On top of that, the initial breach was of a third-party vendor used by MediSecure, but presumably by other organisations as well.

Such attacks are becoming more common. Whereas attackers would have once targeted organisations one by one looking for weaknesses, they are increasingly turning their attention to service providers that have multi-tenanted services and many high-profile customers. These can sometimes be called ‘island hopping’ attacks, where the breach of a shared service provider can be used by a threat actor to ‘hop’ across into customer networks where they can damage systems or exfiltrate data.

Breaching one of these service providers can facilitate immediate access to multiple valuable datasets. In some cases, the breach may give attackers access to assets that contain hardcoded or embedded credentials that can be abused to gain direct access to the company’s systems.

Broadly, these kinds of attacks come under the umbrella term of supply chain attacks. Such attacks have a number of variations in the way they are executed.

Sometimes an attacker will infiltrate a piece of shared software and insert malware that is then distributed to customers via a buggy update: think SolarWinds or JetBrains. Then, there was the 2023 compromise of Okta’s support system, which allowed an attacker to access sensitive files uploaded by Okta’s customers and use that information to try to compromise multiple large organisations at once.

The breach that impacted MediSecure appears to be more in this latter category of incident, although there is still little detail on the nature of the compromised supplier.

Despite variations in how they’re being approached and executed, the reason why more supply chain attacks are occurring is simply due to the realisation of cybercriminals of how lucrative these kinds of ‘one-to-many’ attacks can be. Going after a single service provider with many household-name customers opens attackers to the possibility of much larger rewards and with significantly reduced effort than would be required to test the defences of each of these organisations individually.

In addition, with third-party providers often sitting outside of an organisation’s stringent internal security policies and protections, attackers can encounter a path of lesser resistance than they would by going in the front door. An Australian Securities and Investments Commission (ASIC) survey late last year found 44% of respondents were not managing third-party or supply chain risks. It noted that “third-party relationships provide threat actors with easy access to an organisation’s systems and networks”, and that this access needed to be addressed. As more is learned about the MediSecure breach, the need to address supply chain threats remains as real as ever. Additional focus in this space is clearly required.

The two most effective actions organisations can take

Organisations need to be vigilant in the way they secure not only their own organisations against threats, but also their interactions with others. Vigilance can be achieved in part by having the right tools to detect and prevent supply chain threats, and by adopting the right security mindset.

The right tooling in this context means technology that can detect indicators of a possible breach at a supplier. Many such indicators of compromise (IOCs) — anomalous behaviours — are simple in nature, but difficult to manually detect, but technology can be used to locate them.

Behaviours could include someone attempting to use privileged commands without multi-factor authentication, which could be a sign that a service provider has been compromised, their credentials to the customer environment stolen and of attempts being made to abuse those credentials.

Similarly, successful API requests being made without authentication, or the detection of accounts being created or modified outside of regular change control processes, could also be potential IOCs of a supply chain attack in progress.

Identity and privilege management tooling should ideally be able to detect these IOCs and address them before they can be used as part of a compromise or breach.

In addition to tooling, organisations also need to have the right mindset to prevent supply chain attacks. To foster this, organisations must equip all staff with skills through training and then continuously reinforce that learning — such that people are awake to the risks posed by the organisations they work with, and are confident enough to report any unusual occurrences in their day-to-day interactions.

*Scott Hesford has over a decade of experience in IT security. Before joining BeyondTrust in 2019, he worked as Principal Consultant for CA Technologies and other large enterprises in Australia and New Zealand. A trusted cybersecurity advisor to enterprise customers, his experience spans across several industries such as banking, insurance, energy and utilities, in addition to state and federal governments.

Top image credit: iStock.com/anyaberkut