Software Update Supply Chain Attacks: What You Need to Know

Software update supply chain attacks have been one of the big trends in cyber crime in 2018. Find out more about this cyber attack technique.

Security Response
Oct 17, 2018 · 5 min read
Attackers who compromise the software supply chain can potentially gain access to well-protected organizations and spread infections quickly

Some of the most high-profile cyber attacks of recent times have been perpetrated after cyber criminals compromised a third-party supplier of the targeted company and used their access to get on to the victim’s network: attacks of this nature are known as software update supply chain attacks.

What is a software update supply chain attack?

We define a software update supply chain attack as follows: “Implanting a piece of malware into an otherwise legitimate software package at its usual distribution location; this can occur during production at the software vendor, at a third-party storage location, or through redirection.”

We wrote about software update supply chain attacks earlier this year, in ISTR 23. The reason these types of attacks piqued our interest then is because we saw a surge in incidents of supply chain attacks in 2017 — they increased by 200 percent compared to the previous year. There was an average of one supply chain attack every month in 2017, compared to four attacks annually in previous years.

Why do attackers carry out software update supply chain attacks?

Software update supply chain attacks are attractive to cyber criminals for several reasons:

· They allow them to infiltrate well-protected organizations by exploiting an already trusted channel.

· The number of infections can grow quickly due to automatic updates.

· This method can allow attackers to target specific regions or sectors — as was the case with the well-known Petya/NotPetya attacks. An accounting software that is primarily used in Ukraine was compromised to gain access to victims’ machines.

· They can allow isolated targets, such as those in industrial environments, to be targeted.

· They can also make it more difficult for victims to figure out how attackers got onto their systems as trusted processes are abused.

What software update supply chain attacks would I have heard of?

Probably quite a few! The much-reported Ticketmaster breach that was revealed a few months ago was carried out when the Magecart group, which was behind the attacks, compromised one of Ticketmaster’s third-party suppliers.

The Magecart attackers injected malicious JavaScript code onto Ticketmaster’s website after they compromised a chatbot from tech firm Inbenta that was used for customer support on Ticketmaster websites. Magecart was then able to alter the JavaScript code on Ticketmaster’s websites to capture payment card data from customers and send it to their servers. The code may have been on the Ticketmaster website for almost a year. Inbenta said Magecart had exploited vulnerabilities to target its front-end servers and alter its chatbot code.

Magecart is carrying out a wide-ranging campaign to target payment forms on e-commerce websites and steal information from them — activity we call formjacking. Following the Ticketmaster breach, it was revealed that Magecart was widely targeting third-party companies that are used on e-commerce sites to manage analytics, website support, and other services. Feedify is one such third-party service that is used by many websites to serve up push notifications to website visitors. It was notified by a threat researcher on September 11 that some of its JavaScript code had been modified with the Magecart script, which prompted Feedify to delete the code. However, within 24 hours the code had been modified again. Feedify again deleted it but it once again reappeared, with threat researchers subsequently warning users of Feedify to stop using it until the issue was resolved.

Two of the other most high-profile software supply chain attacks of recent times were the CCleaner attack, and the aforementioned Petya/NotPetya attack. Petya/NotPetya is a self-propagating worm that, among other methods, used the EternalBlue exploit to spread across infected networks. It caused a lot of headlines when the attack occurred as it happened shortly after the infamous WannaCry outbreak, which also used EternalBlue to propagate. However, unlike WannaCry, Petya/NotPetya wasn’t ransomware, though it did appear to be initially. The encryption performed by Petya wasn’t reversible, so while it displayed a ransom note to victims it is more accurate to say it was a wiper. Petya/NotPetya gained a foothold on victim machines by compromising the software update process of MEDoc, a tax and accounting software package that is widely used in Ukraine, indicating that organizations in that country were the primary target. Ukraine was the hardest hit by Petya/NotPetya, though it did also hit organizations in several other European countries.

In August 2017, shortly after the Petya/NotPetya outbreak, a popular system clean-up tool called CCleaner was targeted by supply chain attackers. Attackers gained access to the company’s development environment and distributed a malicious version of the tool through the update process. The success of the campaign was aided by the fact that the attackers were able to sign the Trojanized update with the manufacturer’s official digital signature. It is believed the compromised version of CCleaner was downloaded 2.27 million times, with the biggest percentage of downloads happening in the U.S., followed by Germany, according to Symantec’s telemetry. Interestingly though, this was a two-stage attack. An initial reconnaissance tool (Trojan.Sibakdi) was dropped on the compromised machines, but only a handful of machines received a second payload (Trojan.Famberp).

More recently, we also saw a software supply chain attack leveraged in order to deliver cryptojacking malware to victims’ devices. It appears that software update supply chain attacks are a technique that won’t be going away anytime soon.


Software update supply chain attacks can be difficult to guard against, but there are some steps that organizations can take:

· Test new updates, even seemingly legitimate ones, in small test environments or sandboxes first, to detect any suspicious behavior.

· Behavior monitoring of all activity on a system can also help identify any unwanted patterns and allow you to block a suspicious application before any damage can be done.

· Producers of software packages should also ensure that they are able to detect unwanted changes in the software update process and on their website.

Check out the Security Response blog and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cyber security.

Like this story? Recommend it by hitting the heart button so others on Medium see it, and follow Threat Intel on Medium for more great content.

Threat Intel

Security Response

Written by

Symantec Security Response brings you the latest threat intelligence from the IT security world.

Threat Intel

Insights into the world of threat intelligence, cybercrime and IT security. Brought to you by researchers at Symantec.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade