Out-of-date software is probably the world’s most common security vulnerability. Cybercriminals are no different than enterprise users when it comes to scalability and efficiency. Enterprises continue to migrate services and applications to the cloud in order to service their globally dispersed users with a degree of scalability and efficiency that can only be garnered through cloud computing. Likewise, hackers are constantly seeking new ways to scale their attacks. By targeting the enterprise of a highly popular cloud vendor, for instance, an attacker could obtain access to some or all of their clients. In one case, a well-known hacker group compromised a healthcare services cloud vendor, stealing the patient records of some of their largest clients through VPN connections that lacked any substantial level of security protection.
So what if you could just infiltrate a single network and have an untold number of other enterprises readily download your malicious cold without any suspicion? Sound implausible, think again. Earlier this year, the highly popular system cleanup software, CCleaner, was infected by a supply-chain malware attack. Over a six-month period, hackers were able to infiltrate the network and eventually gain access to key servers. The attackers first obtained access to the site through a developer’s workstation that they then used to compromise the computer’s installed TeamViewer application. From there they installed keyloggers throughout the network in order to steal credentials and gain administrative privileges to key servers using RDP. They then replaced the genuine version of the software with a malicious one that was eventually downloaded by 2.3 million users.
It was not until a month after depositing the malware that researchers at Cisco Talos detected the malicious version of the software and notified the parent company, Avast. The malware was designed to work in two stages. The first set about collecting the information about the computers that downloaded the code such as the computer name, OS version, MAC address and active processes. Fortunately, the malware was found before the second stage could be implemented although it is unclear what its intention was. Considering that there have been over two billion downloads of CCleaner since its inception, the possible consequences could have been horrific.
This is not the first time hackers have gained leverage through a supply chain malware attack. Two months ago, protection researchers from multiple organizations published a full analysis of how hackers infiltrated the Ukrainian accounting software company Medoc, in order to inject malicious code into future software updates that were awaiting distribution. Medoc customers who make up approximately 80 percent of Ukrainian corporations then downloaded these updates. The downloaded code was then used months later to help initiate the NotPetya attack that disrupted Ukrainian utility companies and public corporations, before later extending its destruction across the globe.
Last year, Kaspersky Labs told Wired Magazine of two other examples in which malware was widely dispersed via software updates that included a financial software company as well as a manufacturer of ATM software. As early as 2012, a cyber-espionage malware strain called Flame that exploited a flaw in the company’s Terminal Services licensing Certificate Authority. Armed with fake certificates, infected machines in a targeted network could fool Windows PCs into accepting a malicious file as an update from Microsoft.
The irony of these types of malware delivery hacks is troubling since so many attacks today take advantage of computers, servers, and network devices that are not properly updated. Cybersecurity professionals continue to preach the importance of keeping all devices updated as one of the primary means of hardening devices. As a result, many users and administrators configure their devices to update automatically. Should the public begin to lose confidence in software updates, an even greater number of machines will lay vulnerable? This, in the end, may be the real goal of the hacker community.
Earlier this summer, the American Civil Liberties Union (ACLU) published a report entitled, “How Malicious Software Updates Endanger Everyone.” The report summarized how government agents may try to force software developers to create or install malicious code into software updates for legitimate applications. Said the ACLU,
“The likelihood is that government actors may attempt to force software makers to push out software updates that include malware designed to obtain data from targeted devices grows as more companies secure their users’ data with encryption.”
A case in point was the technical loophole that Apple recently closed that law enforcement routinely utilized to extract iPhone data. After refusing to help the FBI open a locked iPhone to aid the investigation of a mass killer, the FBI found an alternative by accessing the device through its charging and data port. Apple has closed this loophole by requiring the user password in order to access the port and transfer data. As a result, the issue of whether the government as a right to access one’s personal device is once again in the limelight. As companies close other technological loopholes, there will be increased pressure on law enforcement to find alternate vulnerabilities to exploit. There is a real risk that public trust in software updates will be lost, and systems will be updated less frequently because of exploitation by hackers.
As a final note, the easiest method to avoid downloading malware when updating your programs is to avoid automatic update options. Instead, enable them to notify you when an update is available, and then only download the update directly from the developer.
Sign-up for email updates...