Most of us trust software makers to update their products with new functionality or security fixes, but have you ever considered that one of those updates could one day compromise your entire digital life? Well, hackers have.
Online banking trojans that steal credentials from users' computers used to be all the rage in the cybercriminal world a decade ago, but then banks implemented two-factor authentication schemes and many attackers now prefer to hack into financial institutions directly. Similarly, attackers used to inject software exploits into popular websites, but after software developers added anti-exploit technologies to their applications, hackers started attacking developers directly.
Attackers always try to choose the path of least resistance, but if that gets blocked, they adapt and find the next best way to reach their goal, even if it takes a bit more effort. It seems that we're now entering the age of software supply chain attacks, a dangerous threat that takes advantage of the inherent trust between computer users and their software providers. And it's not an easy problem to fix.
Supply chain attacks can happen when hackers gain access to a software company's infrastructure—development environment, build servers, update servers, etc.—and are able to inject malware into new software releases or security updates. This results in users downloading malware through the company's official software distribution channels, which they've come to trust.
Supply chain attacks are not a new idea and security experts have long warned about the possibility of software getting compromised before being delivered to customers by vendors or their partners. But while there have been examples of such attacks over the years, ranging from simple replacement of downloads on compromised vendor websites to sophisticated cyberespionage operations, the incidents have remained fairly isolated; until now.
This year there've been at least five high-profile cases where hackers broke into the IT infrastructure of software providers and added malware to programs trusted by large numbers of users. Security experts agree that it's a growing trend that culminated recently with an attack that resulted in infected versions of CCleaner—a Windows system optimization tool—being delivered to over 2.2 million users.
It's true that many software supply chain compromises so far, including the recent CCleaner incident, have targeted corporations and were likely perpetrated by sophisticated cyberespionage groups with possible ties to nation states. But there were plenty of attacks that have affected consumers as well and which fit nicely into the supply chain category.
How do supply chain attacks happen?
There are many points of a supply chain that attackers can target. For example, the US National Security Agency reportedly engages in physical attacks called supply chain interdiction that involve intercepting legitimate shipments of computers or other devices, inserting backdoors into them, and delivering them to the intended recipients. This is done without the knowledge of the device manufacturers.
Like in the CCleaner case, attackers can also break into the development infrastructure of software vendors and add their malicious code to applications before they're compiled and released to the public. These breaches usually involve compromising an employee's computer through spear-phishing—targeted email-based attacks—or some other method and then moving laterally through the internal network from system to system, exploiting vulnerabilities and collecting credentials until access is gained to critical systems.
Pre-software-release compromises are very dangerous because the resulting packages are signed with their creator's digital identity and can bypass application whitelisting technologies. It's almost impossible to tell that something's wrong with them, at least for regular users.
A simpler supply chain attack is when attackers only manage to compromise the Internet accessible web servers that a vendor uses to distribute software updates or new releases. In this case they can only replace the legitimate files with modified ones that contain malware. Such modifications are theoretically detectable because they break digital signatures—if those programs are digitally signed. But there are plenty of programs out there that don't validate their own updates by checking digital signatures.
In February, Microsoft reported a supply chain attack against technology and financial organizations where attackers compromised the update servers for an unnamed third-party editing tool. The hackers used their access to deliver an unsigned malware executable as an update for the tool, which the program then downloaded and executed.
Not all programs download their updates as stand-alone files, Michael Gorelik, vice-president of research and development at security firm Morphisec, told me. Some updates are delivered as chunks of code that are loaded and executed by applications directly in memory and that code is not typically signed, he said.
There are also many applications that don't receive their updates over secure encrypted channels like HTTPS. This exposes them to man-in-the-middle attacks. Hackers in a position to intercept internet traffic between users' computers and the update servers for such apps—for example over insecure Wi-Fi networks or through compromised routers—can simply send malicious updates to those computers without needing to compromise the vendor's servers. This is another reason why it's important for software to validate updates by checking digital signatures.
There are also supply chain attacks that happen with the knowledge of software developers, or at least the developers who control the software at a particular point in time. Companies and software products are being bought and sold frequently and the changes in ownership are not always transparent to end users. There have been cases where the new owners of an application decided to include malware or adware in new versions.
In 2014, before Google tightened its rules for Google Chrome extensions, there were several incidents where extensions were bought from their original developers for four-figure sums and were then modified to steal browsing data or display intrusive ads. A similar thing happened recently with a WordPress plug-in and even though WordPress is not a desktop application, the concept was the same.
Supply chain compromises can also happen through third-party code that developers decide to use in their projects. Modern applications contain numerous third-party libraries, frameworks and advertising SDKs (software development kits). If any of these components gets compromised, the malicious code could spread to thousands of other programs due to such integrations.
Security researchers from Check Point Software Technologies recently found around 50 malware-infected Android applications hosted on Google Play that had been downloaded millions of times. They determined that the malicious code was actually part of a third-party SDK that app developers had integrated into their apps.
There have also been cases where Android devices came with malicious applications preloaded in their firmware. This is a very potent type of supply chain attack because preinstalled applications often have system privileges and cannot be uninstalled by users or even antivirus programs running on the device. Mobile antivirus programs have the same privileges as regular apps, so they cannot remove system applications that were already part of the firmware.
There's no simple defense
"Supply chain attacks are almost impossible to detect by regular consumers because of their complexity," Bogdan Botezatu, a senior analyst at antivirus vendor Bitdefender, told me. "Depending on the security solution installed on the victim's machine, an attack could be stopped or not. Supply chain attacks that target hardware vendors though, are impossible to detect because malicious firmware can compromise the operating system or the locally installed security solutions."
Companies have more options to defend themselves because they can—and should—carefully choose the software vendors they decide to work with based on their security track record. Before signing contracts, they can ask suppliers to share the results of their periodic network security audits and can inquire about their internal security practices.
Many supply chain attacks use memory injection techniques where malicious code is directly loaded in the memory of compromised processes and doesn't create files or leave other digital traces on disks. Not all endpoint security solutions are equipped to detect such fileless malware threats, but there are some enterprise products that can. In general, companies have access to better security solutions and technologies than consumers.
Ultimately it is the software developers themselves that need to have strong internal auditing and code review practices in place in order to ensure that the products they release perform as originally intended, Botezatu said.
Developers are an attractive target
The rise in supply chain attacks is directly correlated with an increase in the number of attacks against developers and systems engineers because these individuals typically have credentials on their computers that can provide privileged access to the development and IT infrastructure of their employers.
In March, a group of hackers launched phishing attacks against developers with accounts on GitHub. The goal was to infect their computers with a malware program that could log keystrokes, take screenshots and interact with authentication smartcards attached to their computers.
In 2013, a group of hackers compromised a popular iOS development forum and injected an exploit for an unpatched Java vulnerability into its pages. The exploit infected visitors' computers with spying malware and affected developers from many large companies, including Twitter, Facebook and Apple.
Since supply chain attacks offer a very efficient way to bypass traditional defenses and compromise a large number of computers, more and more hackers are likely to adopt this attack method going forward. The recent CCleaner attack was used to deploy additional specialized malware on 40 computers belonging to 12 technology companies including Sony, Intel, VMware, Samsung and Asus. There's a possibility the hackers might have intended to further compromise those companies' networks and systems in order to execute additional supply chain attacks through their own products.
Some security researchers are convinced there are already other software programs out there—unrelated to the CCleaner hack—that have been compromised due to supply chain chain attacks, but which have yet to be discovered. This means malware might be running right now on users' computers thanks to a legitimate application or update they've downloaded from a trusted developer.
Welcome to the era of supply chain attacks.