Are Software Supply Chain Attacks Replacing Zero Day?

Software supply chain attacks may be replacing zero-day attacks as a method to evade your security. Zero-day attacks are still on the rise, but what if there was a better way to get malware into your systems. What if malware could be injected into your systems using normal approved software updates and evade all your expensive security?

In 2017, software supply chain attacks were reported every month versus only four times in 2016. 2018 will likely see an increase as criminals discover an easy way to evade your security. Here is how it works. Attackers, take advantage of your trusted supply chain to inject malware into your system during the update or install process, implanting malware in a legitimate software package. Over 50% of recently surveyed companies believe that the risk of a supply chain attack is either medium or high.

Inserting Malware Into the Software Supply Chain

Software supply chain attacks can be implanted in three ways: 1) at the software vendors location, 2) at a 3^rd party storage location, or 3) via a redirection of the download to a malicious site instead of the vendors servers. This can be implanted with the initial install or via a software update. Either way, it is hard to catch since this is a legitimate software package and is actively downloaded by the user.

Typical Software Supply Chain Attack Targets

Altering commonly used software (like CRMs or office software) gives the attackers access to many companies and then they can target the companies they want from that group. Targeting vertical or specialty software can by its very nature provide attackers with targeted attacks on industries, manufacturing or financial departments.

• Internal Software running on office computers, servers
• 3^rd party cloud-based software-as-a-service (SaaS) products
• Office applications, financial, HR, Sales
• Industrial supply chain software and systems
• IoT devices – IoT devices typically update themselves automatically. What an easy way to alter software and not be notices.

Why Are Software Update Supply Chain Attacks Used?

• Supply chain attacks remove the need to develop new methods for getting malware into a company’s network
• Can be used to penetrate well protected systems because it Leverages a trusted channel
• Fast delivery of malware
• Can deliver malware laterally in your network
• Can be used to target specific customers or departments
• Difficult to detect
• May provide attacker with elevated system login privaleges

Recent Examples of Software Supply Chain Attacks Seen in the Wild?

• 12-2018: WordPress plugins used to install backdoors
• 10-2017: Elmedia Player for Mac OS X bundled with malware
• 8-2017: A signed update for CCleaner (a popular PC utility) was used to download and distribute a multi-layer APT attack targeting certain company’s networks. Note that any PC using CCleaner doing an update could have been infected, but in this case the attackers chose a targeted attack. If this had been a ransomware attack, it would have cost hundreds of thousands of dollars to recover the data.
• 7-2017: ePria pharmacy software installs backdoor Trojan
• 6-2017: E.Doc updated used to distribute Petya/NotPetya ransomware

Software Supply Chain Risk Reduction Solutions

Even though these types of attacks leverage the trust we have in our approved software and products, that does not mean that we cannot prevent, detect and respond to attacks. Here are some ideas.

Prevention – How to prevent malware laden updates from downloading, updating or executing

• NextGen endpoint (EP) and gateway security (including AI solutions, pre-execution of files, file reputation, DNS security)
• Strong integrated security (EP+Gateway+Network). Solutions that share threat information
• Security Training to recognize abnormal behavior and report it
• Data Backup & DR solutions – Backup frequently and before major releases for quick restore
• Patch management platforms and services that attempt to ensure that patches are safe
• Prevent malicious updates from being downloaded:
  • Do controlled downloads to a single computer on an isolated network at least for major releases
  • New update release throttling (delay deployment – let others find bad releases) – disable auto updates
  • Make sure that downloads are signed
  • Make sure that downloads are from trusted domains

Monitoring & Detection – Look for abnormal behavior at the EP or Network level

• EP Behavior Monitoring
• AI Network Monitoring (North-South, East-West) (ala Darktrace)
• SIEMs – Correlate information looking for threats

3^rd Party Software Vendor Management

• Source software from larger companies with larger security staffs and better QA
• Ask for and review 3^rd party software’s policies for access control, data modification, storage, and communication security

Use a CASB

• Limit use of unapproved applications (shadow apps) to remove unknown or unapproved apps and their updates from your system

Ultimately it comes down to trust and whether you can really trust anything anymore. Better to not trust, and live to see another day.

Contact Us – eSecurity Solutions can help you secure your business and to ready your company for the California Consumer Privacy Act

• Assess your risks, prioritize your security gaps and define a compliance level cyber security strategy
• Define an Adaptive Ecosystem security strategy
• Become regulation compliant
• Implement and Manage your security

Resources:

1. Symantec 2018 ISTR Report
2. Crowdstrike Securing the Supply Chain Report – July 2018