Software Update Supply Chain Attacks: What You Need to Know
Software update supply chain attacks have been one of the big trends in cyber crime in 2018. Find out more about this cyber attack technique.
Some of the most high-profile cyber attacks of recent times have been perpetrated after cyber criminals compromised a third-party supplier of the targeted company and used their access to get on to the victim’s network: attacks of this nature are known as software update supply chain attacks.
What is a software update supply chain attack?
We define a software update supply chain attack as follows: “Implanting a piece of malware into an otherwise legitimate software package at its usual distribution location; this can occur during production at the software vendor, at a third-party storage location, or through redirection.”
We wrote about software update supply chain attacks earlier this year, in ISTR 23. The reason these types of attacks piqued our interest then is because we saw a surge in incidents of supply chain attacks in 2017 — they increased by 200 percent compared to the previous year. There was an average of one supply chain attack every month in 2017, compared to four attacks annually in previous years.
Why do attackers carry out software update supply chain attacks?
Software update supply chain attacks are attractive to cyber criminals for several reasons:
· They allow them to infiltrate well-protected organizations by exploiting an already trusted channel.
· The number of infections can grow quickly due to automatic updates.
· This method can allow attackers to target specific regions or sectors — as was the case with the well-known Petya/NotPetya attacks. An accounting software that is primarily used in Ukraine was compromised to gain access to victims’ machines.
· They can allow isolated targets, such as those in industrial environments, to be targeted.
· They can also make it more difficult for victims to figure out how attackers got onto their systems as trusted processes are abused.
What software update supply chain attacks would I have heard of?
Probably quite a few! The much-reported Ticketmaster breach that was revealed a few months ago was carried out when the Magecart group, which was behind the attacks, compromised one of Ticketmaster’s third-party suppliers.
Two of the other most high-profile software supply chain attacks of recent times were the CCleaner attack, and the aforementioned Petya/NotPetya attack. Petya/NotPetya is a self-propagating worm that, among other methods, used the EternalBlue exploit to spread across infected networks. It caused a lot of headlines when the attack occurred as it happened shortly after the infamous WannaCry outbreak, which also used EternalBlue to propagate. However, unlike WannaCry, Petya/NotPetya wasn’t ransomware, though it did appear to be initially. The encryption performed by Petya wasn’t reversible, so while it displayed a ransom note to victims it is more accurate to say it was a wiper. Petya/NotPetya gained a foothold on victim machines by compromising the software update process of MEDoc, a tax and accounting software package that is widely used in Ukraine, indicating that organizations in that country were the primary target. Ukraine was the hardest hit by Petya/NotPetya, though it did also hit organizations in several other European countries.
In August 2017, shortly after the Petya/NotPetya outbreak, a popular system clean-up tool called CCleaner was targeted by supply chain attackers. Attackers gained access to the company’s development environment and distributed a malicious version of the tool through the update process. The success of the campaign was aided by the fact that the attackers were able to sign the Trojanized update with the manufacturer’s official digital signature. It is believed the compromised version of CCleaner was downloaded 2.27 million times, with the biggest percentage of downloads happening in the U.S., followed by Germany, according to Symantec’s telemetry. Interestingly though, this was a two-stage attack. An initial reconnaissance tool (Trojan.Sibakdi) was dropped on the compromised machines, but only a handful of machines received a second payload (Trojan.Famberp).
More recently, we also saw a software supply chain attack leveraged in order to deliver cryptojacking malware to victims’ devices. It appears that software update supply chain attacks are a technique that won’t be going away anytime soon.
Software update supply chain attacks can be difficult to guard against, but there are some steps that organizations can take:
· Test new updates, even seemingly legitimate ones, in small test environments or sandboxes first, to detect any suspicious behavior.
· Behavior monitoring of all activity on a system can also help identify any unwanted patterns and allow you to block a suspicious application before any damage can be done.
· Producers of software packages should also ensure that they are able to detect unwanted changes in the software update process and on their website.
Like this story? Recommend it by hitting the heart button so others on Medium see it, and follow Threat Intel on Medium for more great content.