Shields Up: In the Face of Supply Chain Attacks, Stay the Course
Keep calm and keep patching. Here’s what you need to know about this kind of attack.
We’re witnessing the growth of attacks on supply chains—trusted distribution channels for delivering software and hardware. I want to tell you a bit about these attacks, because you’re going to hear more reporting about them in the future.
Supply chain attacks typically turn trusted websites into hosts for malicious installer downloads, and infected servers into hosts for “evil software updates.”
And we have now been officially warned: “Security experts agree that it’s a growing trend.”
It’s technically true that software-based supply chain attacks are growing, and that they have real potential for damage. It’s not because these attacks are new, but instead, supply chain attacks have nowhere to go but up. They’ve been quite rare until this year, and we’re beginning to see more in the wild.
For most of us, it’s smart to be aware of the possibility of these attacks, but critically assessing your risk should lead you to one conclusion: Forego needless installations, and keep your software updated. In other words, don’t freak out, and do what you should have been doing the whole time.
What’s a Supply Chain Anyway?
In a software supply chain, an attacker might target a developer’s infrastructure to add malicious code to their development environment, the servers used to distribute their software, update servers, or other links in the chain.
An attacker can also physically tamper with hardware embedded in consumer technology. For example, security researchers have built malicious replacement screens for mobile devices, which log users’ keystrokes, and quietly take unwanted photos.
But while tampering with physical devices demands the appropriate equipment, tampering with software supply chains to distribute malware is cheaper and works at scale.
To see how these rare attacks work, let’s walk through a few recent examples.
The Ol’ Software Switch-a-Roo
Normally when downloading something, it’s wise to visit a known entity, such as the official site. But if an attacker takes over, they can abuse this trusted space to distribute malicious software.
This is what happened to a software maker called Eltima, when their website was hijacked.
Over two days in October 2017, Mac users who visited Eltima’s official website and downloaded Elmedia, a free media player application, were likely infected. The attack also affected Eltima’s Folx, a download management tool.
The infected copy included a remote access trojan called OSX/Proton. The software, bought and sold on hacker forums, helps attackers steal ordinary users’ online credentials and personal finance data.
You might wonder how dangerous this really is. The severity of the attack depends on how quickly the developers respond.
In this case, it could have been worse. After security researchers alerted Eltima to the breach, the developers promptly patched their website.
But it’s not just about websites.
From May 2–6, 2017, attackers bundled a variant of Proton malware into HandBrake, an open source video tool, often used for ripping DVDs. Like many open source tools, HandBrake can be downloaded through Homebrew, a command line installation tool.
In this case, the Homebrew version was also infected.
Similarly, between mid-August through mid-September 2017, over 2 million users visited Avast’s official website to download CCleaner, a popular utility for scrubbing unwanted files on Windows machines. But if users downloaded CCleaner from the website during this time window, they also got bonus malware.
After breaking into the development infrastructure, attackers made a few modifications to CCleaner’s code. Like a physical signature, developers may apply a digital signature to their code to vouch for its authenticity. But in this case, they signed malicious code, making it quite difficult for most ordinary users to detect anything wrong with the application.
The infected CCleaner would beacon back to a command server, and in turn, delivered a second stage of malicious code. This code only targeted a small handful of additional domains at multinational technology and telecommunications companies (e.g., Cisco, Intel, Samsung, Sony), leading security researchers to believe the attackers were interested in stealing intellectual property.
In other words, the attackers were not terribly interested in most of the users they infected, but cast a wide net in hopes of wrangling corporate targets. And it seems to have worked. According to Avast, no less than 20 machines at 8 organizations were hit by infected CCleaner installers.
While we see few examples of supply chain attacks targeting updates, researchers have caught a small handful in the wild. For example, in 2014 Symantec researchers found industrial control systems used by large energy companies were infected with malicious patches.
More recently, attackers compromised a firm called MeDoc, which makes accounting software commonly used in Ukraine. Attackers altered a file that affected at least three updates between mid-April and late-June 2017. The updates came bundled with a nasty piece of malware that encrypted the disk drives of affected Windows machines, leaving them inoperable. Even worse, it crawled through victims’ networks, infecting nearby machines as well.
Few Common Denominators
Each of these attacks targets legitimate software, and hijacks developers’ infrastructure in order to distribute malicious payloads to users. Okay, sure. But otherwise, what similarities do these attacks share? What unites them?
Supply chain attacks vary in scale, complexity, the vulnerabilities exploited in the supply chain, how, and what kinds of payloads are delivered.
Because of the diversity of these attacks, it’s not easy to predict where they may appear. So how should we deal with this?
Do What You Should Have Been Doing Anyway
Though supply chain attacks are likely to become more common, we see remarkably few. You know what we see a lot more of? We see a lot more malware distributed through untrusted, third-party sources.
The lesson here is not to stop visiting official sites. Instead, for ordinary users, the lesson is to minimize risk by avoiding software you don’t need. This has always been a good idea, and supply chain attacks don’t change that.
Likewise, it’s possible that you are in the unlucky reverse-lottery of people who download a malicious update. But you know what’s more likely? We’re far more likely to leave our devices unprotected if we don’t download updates.
So keep patching, and keep getting your favorite software from trusted sources. It’s also wise to consider whether you really need that app before installing it.
Perhaps one day these attacks will become much, much more widespread. But we should always put the risk of an attack in context, and move forward accordingly.
Martin Shelton is a user researcher working with at-risk groups and the press on digital security hygiene.