According to an article published by security firm Kaspersky, the Taiwanese tech giant ASUS is believed to have pushed the malware to hundreds of thousands of customers through its trusted automatic software update tool. This was a result of hackers compromising the company’s server and used it to push the malware to machines. The company appears to be the unwitting participant in the whole affair and the malicious file used a legitimate ASUS digital certificates to make it appear to be an authentic software update from the company. The attack by the attackers can be regarded as a textbook supply chain attack.
A supply chain attack can be defined as when a malicious actor injects malicious code into the source code of a software product without the software company been aware of the initial malicious injection. There have been many examples of these attacks through the years but perhaps one of the most infamous in recent memory was the NotPetya attacks which occurred in 2017. Hackers are drawn to this attack method as it has multiple advantages. One of the biggest advantages is the difficulty of detection as the attack requires the hacker to create a backdoor to legitimate, certified software as companies will use their security team to prevent attacks from outside the company and not during software development. Further, companies are hesitant to report such attacks to authorities as they are scared of the reputational damage that is bound to occur.
Researchers at Kaspersky estimate that half a million Windows machines received the malicious backdoor through the ASUS update server, although the attackers appear to have been targeting only about 600 of those systems. The malware was designed to search for targeted systems via a unique MAC address. Once on a system, if it found one of these targeted addresses, the malware reached out to a command-and-control server the attackers operated, which then installed additional malware on those machines. Researchers discovered the attack in January of this year was it added supply-chain detection technology to its scanning tool to catch anomalous code fragments hidden in legitimate code or catch code that is hijacking normal operations on a machine. A full technical paper is due to be released soon by Kaspersky, however, the firm has released some technical details of the attack which is being called Operation Shadowhammer.
Just who is behind the attack is up for debate, however, even at this early stage of investigations, Kaspersky believes it may be the work of APT group Barium. According to Kaspersky,
“Although precise attribution is not available at the moment, certain evidence we have collected allows us to link this attack to the ShadowPad incident from 2017. The actor behind the ShadowPad incident has been publicly identified by Microsoft in court documents as BARIUM. BARIUM is an APT actor known to be using the Winnti backdoor. Recently, our colleagues from ESET wrote about another supply chain attack in which BARIUM was also involved, that we believe is connected to this case as well.”
According to the court documents mentioned in the above quote Barium, also referred to an Axiom the group is accused of breaking into Microsoft accounts in order to steal sensitive and confidential information. Further, the group’s current modus operandi is believed to include,
“…attacking companies in the online video game industry since 2009 and is currently still active. The group's objectives are stealing digital certificates signed by legitimate software vendors in addition to intellectual property theft, including the source code of online game projects. The majority of the victims are from South East Asia.”
Breaking the Chain
This announcement further highlights the problem faced by software producers and users in regards to supply chain attacks. Last year US authorities set up a task force to examine and combat the issue. One of the issues needing to be addressed is the ideal target vendor software provides for groups of skilled hackers. Currently, more attention is given to the detection of malicious injections, vendor software updates are an ideal way for attackers to deliver malware to systems after they’re sold, because customers implicitly trust vendor updates, especially if they’re signed with a vendor’s legitimate digital certificate. In the above example, the hackers used two different ASUS digital certificates to sign their malware. The first expired in mid-2018, so the attackers then switched to a second legitimate ASUS certificate to sign their malware after this.
The instances of such attacks are on the rise. According to Symantec’s latest Internet Security Threat Report revealed a surge in supply chain attacks in 2018. According to the report, the number of supply chain attacks observed last year was 78% higher compared to the previous year. In practical terms, this meant that the number of supply chain attacks observed nearly double from that of the previous year. Many expect this trend to continue in 2019. The report further highlighted how APT groups intensified their activity in 2018 and also diversified their targets. More and more groups focused on compromising operational computers to mount disruptive operations, a tactic pioneered by the Dragonfly espionage group. The method was also adopted by groups such as Thrip and Chafer last year. With software vendors presenting such tempting targets, it is little wonder such attacks are predicted to increase.
Defending against supply chain attacks is difficult, particularly for the end user of the software maliciously manipulated. Ultimately users will have to rely on software vendors and their ability to secure their code base. DHS Under Secretary Christopher Krebs summarised the issue and the possible solution stating,
“The current cyber threats facing government and industry require a more innovative and collaborative solution to managing risk. That is why these partnerships are so important, now more than ever. By bringing together some of the nation’s leading telecom companies and government agencies, we have a unique ability to confront today’s challenges by sharing information across government and industry in real-time and developing the ability to better plan for the risks of the future. I’m grateful to all of the members of the executive committee for coming together to confront these threats as one.”
It is hoped that they are not empty words meant to just instill confidence.