Story image

The age of software supply-chain attacks: Why they are now a legitimate threat

24 Oct 2017

Recently there has been a rash of software supply-chain attacks. Compared to malware, where we tend to talk about hundreds of thousands of events per day, having only eight reported software supply-chain attacks since January might not seem like a lot.

In fact, it may have you thinking I’m overstating things. However, when you consider that we often only see one or two software supply-chain attacks in a year, eight in the last ten months is a veritable deluge!

The two most-publicised among these are the recent CCleaner incident and the M.E.Doc attack. In the former, an illicitly-modified copy of the very popular “system cleaner” CCleaner, including signed executables in signed installer packages was available from the official download site for a month. Subsequent forensic analysis of the C&C server at the heart of the attack showed that at least 40 machines at 12 companies were compromised further.

Popular Ukrainian tax accounting software M.E.Doc was backdoored multiple times with the modified versions made available from the official download servers, and mostly installed on victim machines via the software’s auto-update feature. On 27 June, a few days after the third backdoored version of the software was released, the DiskCoder.C (aka NotPetya) data-trashing malware was pushed to M.E.Doc’s compromised users. Although probably unintentional, DiskCoder.C spread widely outside of Ukraine, via stolen credentials and VPN LAN connections.

Why would the attackers – whoever they are – behind the CCleaner compromise, or the others, go to this much trouble?

In one case the “attackers” are known and might reasonably be described as researchers or “concerned users” wishing to improve the state of security in popular programming language ecosystems. However, in the other cases, including those listed above, all of which involve actual malware, it is unlikely we will know for sure unless the attackers are caught and carefully interrogated. However, we can speculate.

A supply-chain attack, at least involving specialist software, is logically a form of watering-hole attack. These are so-named because the attackers focus their attention on a conventional “gathering place” for people in a community of shared interests, where the whole group, or perhaps just a few of its members, are the attackers’ actual target. Typical watering-hole attacks have involved compromising a legitimate website and installing malware on the devices of the site’s visitors via a drive-by download, or by social engineering (“you must update Flash Player,” or “you must install this codec to view this video”).

Compromising a software distribution server, or the build-chain that delivers a software update to such a server, has significant advantages for the attackers. They do not need a good supply of zero-day vulnerabilities with which to pull off a drive-by compromise, nor do they have to be able to socially-engineer their intended victims into installing an “update” that is really malware.

Furthermore, it is entirely unsurprising to the victims that some software is installed on their devices, as that is what they were expecting, either directly through their own actions, or indirectly if the software checks for and installs its own updates. The latter is especially favourable, as it gives the attacker a “least surprise” advantage. Their victims are very unlikely be doubtful after installing the software, allowing the malware more time to achieve its intended goal.

Perhaps this dramatic, recent increase in supply-chain attacks suggests that other attack methods are getting harder to pull off? If so, it is likely that this is because endpoint security software, firewalls and other security measures are more difficult to bypass? Or, it might just show that well-funded – and perhaps predominantly state-sponsored – cybercriminals are even more active and determined than ever?

Most modern software systems are far too massive for any individual to fully understand. Modern office suites, database programs, system maintenance utilities and, yes, security products, are huge, and have hugely-complex codebases. The teams who write these programs have to trust others who produce the development tools that they need to build and ship their own products, and of course, the operating systems that they run on.

When you think about it, there is actually a circle of trust, as the developers of these tools are also users of office suites, databases, system maintenance utilities, security products and operating systems.

We are, you could say, all in the same boat

Article by Nick FitzGerald, Senior Research Fellow, ESET.

Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.
How blockchain could help stop video piracy in its tracks
An Australian video tech firm has successfully tested a blockchain trial that could end up being a welcome relief for video creators and the fight against video piracy.