Supply Chain Attacks Highlight Escalation by Malware Authors
The tactics used in supply chain attacks against security software CCleaner and the popular video converter Handbrake were not new but demonstrated malware authors’ increasing reach and sophistication. Attackers compromised CCleaner's supply chain to plant specialized APT malware on computers belonging to 40 named organizations in the malware code. Based on the list of organizations targeted, attackers were likely looking to steal source code and intellectual property. Handbrake was a more widely sprayed attack, attempting to infect as many machines as possible, causing it to be discovered and remediated quickly. Supply chain attacks were novel attack methods discussed among security researchers and tech talks until October 2018 when Bloomberg published an explosive story alleging that China had implanted thousands of servers made by SuperMicro with hardware that allowed them to remotely access and spy on the machines which were purchased by companies like Amazon and Apple. In the months following, the story turned out to be a big nothing burger but not before wiping out hundreds of millions of dollars off of SuperMicro’s market cap.
There is an argument to be made that the NotPetya ransomware outbreak was the result of a supply chain attack against MeDoc, the Ukrainian accounting software maker. Attackers compromised the update servers of MeDocs, which delivered the NotPetya malicious payload to Ukrainian subscribers over legitimate software updates. MeDoc did not take any standard of care in protecting their update servers or even securing the update process with HTTPS to prevent a man-in-the-middle interception and modification.
Recently, there have been two supply chain attacks that demonstrate increasing sophistication with possible state-sponsored ties. In late March 2019, computer manufacturer Asus reported that it had been delivering malicious updates to its customers through the Asus secure update mechanism, present on every computer the manufacturer ships. The malicious payload, dubbed ShadowHammer, was added to a legitimate software update after compiling and then digitally signed with Asus's code signing certificate, making it appear to be a valid update to the computer's update software and traditional anti-virus protection. After the initial code signing certificate expired, the attackers were able to gain access to a second Asus code signing certificate and perpetuated this malicious update attack for several months before security researchers and Asus discovered it. Many anti-virus solutions would have missed the malicious updates because they verify the digital signature of the software and "trust" code that is signed by a legitimate code signing certificate. The malicious updates from Asus targeted specific machines based on their MAC address indicating this was a very targeted attack against previously known individuals.
Just weeks after the ShadowHammer disclosure by Asus, security researchers discovered an even more nefarious supply chain attack using similar tools, tactics, and practices. Attackers gain remote access to systems belonging to video game developers through spear phishing and use their newly gained access to install a malicious patch to Microsoft Visual Studio, a popular programming application used in software development. An alternative theory is that these developers downloaded illegal or pirated versions of Visual Studio with the malicious code already embedded. The malicious modifications would target Visual Studio's "linker" component which connects multiple parts of the code before compiling. Instead of using legitimate libraries as the software makers intended, the malicious linkers would pull in compromised or malicious libraries and add them to the code base. Compromising code during the development cycle makes the malware authors' job even easier since their malicious payload is embedded into the code of the video game's software, then digitally signed with the vendor's code signing certificate making it appear that the malicious code is legitimate to operating systems and anti-virus software. It is no longer required for the attackers to have access to the code signing certificates or code signing machines since the malware embeds itself before compiling and code signing. Once a customer downloads and installs the compromised video game, the malicious code is free to run on the machine. Interestingly enough, the malware seen in this supply chain attack has specific instructions not to run on devices that have Russian and Chinese language packs installed indicating that their targets are not located in the respective countries that contain this language pack. There is an unspoken understanding that Russian and Chinese hackers are given a degree of freedom from law enforcement and their respective governments as long as they do not target their citizens.
Supply chain attacks are highly effective because of their capabilities to evade traditional security controls, but they also erode trust in the legitimate software vendors. Users begin to distrust software vendors when they start distributing malware through legitimate channels. While any software developer could fall victim to a cyber attack, there are defense-in-depth security controls that help prevent supply chain attacks or substantially limit their impact. Starting with basic user awareness training for code developers to ensure they do not install malicious software or have their credentials phished when targeted for their access. Endpoint security software has regularly failed to identify malware that was digitally signed with a code signing certificate, even if the certificate failed any revocation checks.
Instead of relying on software that trusts digitally signed code, a zero-trust model of scanning every byte of data including SSL/TLS encrypted internet traffic will ensure malicious data never makes it to the endpoint from the internet. Regular code audits have unearthed previously unknown backdoors in popular software, believed to be implanted by state-backed hacking groups. Air gapping code signing machines and properly securing code signing certificates with HSMs will also make it much more difficult for malicious code to bear a legitimate digital signature.
Until software developers implement the proper security controls to ensure supply chain attacks do not push out malicious code disguised as legitimate software, it is ultimately up to end users and organizations to protect themselves against this attack vector. Protecting users no matter where they are: on the corporate network, at a hotel, coffee shop, or home is essential to not leave any gaps in security that can be exploited by a sophisticated attacker. With a 400% increase in phishing attacks utilizing SSL or TLS-based encryption, it becomes essential to inspect this traffic for malicious data. Security is everyone’s responsibility, but until there are hefty fines or penalties for organizations that suffer from supply chain attacks, it is up to organizations to protect themselves.