Malware Takes Aim at the Supply Chain

Your company does everything right to protect itself from cyber attacks. You’ve got anti-malware installed, you protect your perimeter and your network and your workforce is educated on how to avoid threats. Life is good; you can sleep easy at night.

Then one day, an important productivity application needs to be updated — accounting software, let’s say. IT updates it in the same way it’s done it so many times in the past. No need to give it a second thought.

Then, boom! Your company gets infected by a nasty Trojan that was inserted by hackers into the update. You’ve just been victimized by one of the newest and most difficult threats to protect against — malware that infects businesses via a software supply chain attack. And you’re not alone. Symantec’s latest Internet Security Threat Report found there was at least one such attack every month in 2017, a 200 percent increase over the previous year.

The threat shows no sign of abating for a simple reason: It’s effective and difficult to combat. Candid Wueest, Principal Threat Researcher with Symantec's global security response team, says that it’s becoming increasingly popular because many companies have protected themselves so well against many attacks, including zero day exploits, and so malware writers are turning to more sophisticated methods. He explains, “This attack is very, very stealthy and difficult to detect until it’s running – and even then, you might not discover it.”

How Supply Chain Attacks Works

In software supply chain attacks, bad actors get access to a software company’s distribution system and replace a legitimate software update with a malicious version of it. Then, when the company’s customers update their software, their systems are infected with the attacker’s payload, such as a Trojan, ransomware or other malware.

The attacks are difficult to protect against because the update is for a trusted application with permissions to open network connections and execute downloaded binaries. It’s from a legitimate domain that may have been whitelisted. It can even have a valid digital certificate.

There were two big supply chain attacks in 2017. In June, in the Petya/NotPetya (Ransom.Petya) attack, a Ukrainian accounting software update was used to distribute a malicious payload, which primarily infected businesses in the Ukraine. In August, an update for the popular clean-up tool CCleaner was Trojanized and downloaded 2.27 million times. But there were other such attacks as well, not as well known.

How to Protect Your Company

So, what can a company do to protect itself against such a surreptitious threat? More than you might think. Wueest recommends that companies roll out updates in small batches instead of deploying them enterprise-wide. In that way, a malicious update will only infect a few machines before it’s discovered, and the threat can be minimized. Companies should consider first installing updates in safe sandboxes, so that the threat will be even more contained because it can’t escape from the sandbox before it’s detected.

Especially important, he says, is that companies make sure that their anti-malware software has built-in behavior-based protection — that is, the software doesn’t just check for known malware or specific executables, but that it examines how software behaves after it’s installed or updated. In that way, once the malware is installed by the software update, it will be quickly caught and the damage can be contained.

In some attacks, such as with CCleaner, a supply chain attack is a multi-tiered one. After companies install the update, it lets loose software which lets the attacker see which companies have been infected by examining all the IP addresses which have installed the software. The attacker then uses the software to deliver malicious payloads such as Trojans or ransomware to those enterprises in which they’re interested. That means, he says, that the real damage may not immediately follow the initial infected software update — all the more reason to have anti-malware that includes behavior-based protection built in.

Wueest believes that many software supply chain attacks go unreported because they’re limited to software niches. For example, he says they might target industrial control systems. It’s a way to jump the “air gap” — infect systems that aren’t connected to the Internet. Software updates on some control systems not connected to the Internet are done via plugging USB drives into them. Plugging in an infected update can infect non-Internet-connected systems.

That can be particularly problematic, because in some instances the IT security team is separate from the industrial security team, who may not be as well-versed in computer threats. So, he says that it’s best if companies unify their security teams, or at least have solid communications between them, to protect against these kinds of threats.

If companies follow all this advice, he says, even if they are infected, they won’t be harmed, because they’ll be able to quickly find out they’re under attack, and can then quickly clean up the infection.

“If you follow best practices, you may get compromised but you won’t lose any data,” he concludes.

If you found this information useful, you may also enjoy:

• 2018 Internet Security Threat Report
• NIST: Software Supply Chain Attacks