Detection is better than cure: Seeing and preventing supply chain attacks

Supply chain attacks are popular with hackers, sophisticated and hard to detect. While household names have fallen prey, any business can act to stay safer.

Share article

evolution of supply chain attacks

Supply chain attacks represent something of a sea change among hackers. They’re not new, but they’re fast becoming more common, and evolving to evade detection.

These attacks involve implanting the part of a virus that executes an attack (the payload) into components like software, firmware and hardware. That payload becomes part of the finished product. Companies that sell these products become unwitting distributors. They stow away silently on customers’ computers or networks until something triggers their malicious processes.

Here, we focus on software supply chain attacks, but it’s worth a few words on the other two to understand the scale and scope of supply chain vulnerabilities.

Hardware supply chain attacks

Supply chain attacks on hardware are often crude and cheap. For example, implanting keyloggers in USB drives, capable of registering 8,000 pages of keystrokes, or inserting a microphone into Ethernet networking connectors (RJ45 plugs), stealing passwords and other sensitive data.

Firmware supply chain attacks

Hackers also tamper with firmware by embedding malicious code that enters customer devices. Boot firmware is often the target. By using the booting process, it only takes starting the hardware to execute the malware.

Software supply chain attacks

Hackers like software supply chain attacks because they only need to compromise one link in a long chain to smuggle malware everywhere. They can insert malicious code into software at several points during build, compilation, distribution and update. The increasing sophistication of enterprise software also increases the number of attack options.

Attacks can target the software’s source code, embedding malicious code in the build of a trusted app. Sometimes the code is embedded in an executable file with an infected compiler (a program that translates code from one language to another) or linker (a program that combines the data the compiler generates into one executable file). Another frequent target is software update mechanisms.

While genuine software developers often ‘sign’ their executables and scripts with a digital certificate to give their identity and confirm the code is unaltered, supply chain attacks often include stolen certificates that seem genuine.

Software developers dependent on open source code, usually smaller operators, are particularly vulnerable to supply chain attacks.

Significant supply chain attacks

Attacks that make their own a hit list

Some supply chain attacks have used highly sophisticated pre-attack planning to identify suitable targets.

Energetic Bear was one of the most significant attacks on critical infrastructure. It used an opening spear-phishing campaign to make a hit list of suppliers to target.

Ghost in the app-creating tool

Even Apple, famous for its virus resistance, fell victim to a supply chain attack. Hackers used Xcode, a tool for creating iOS and OS X apps, to smuggle malicious code into apps. Apple hosted these apps unwitting in its App Store.

While developers usually download Xcode safely from Apple, it’s also available on developer forums. Hackers embedded malicious code in these alternative sources. Researchers from Alibaba called these malicious variants ‘XcodeGhost.’ They contained just a few extra lines of code – hard to detect, but enough to penetrate.

Backdoor in popular server management software

The ShadowPad incident is one of the largest known and most sophisticated supply chain attacks. In 2017, Kaspersky researchers discovered a ‘backdoor’ (dubbed ShadowPad) planted in server management software used by hundreds of large businesses around the world. When activated, the backdoor lets attackers download further malicious modules or steal data.

In this case, hackers had signed the malicious code with a legitimate certificate. The pointer to the infected function was also hidden from the user’s view. The attackers had gained access not only to the certificates but also to the source code and build environment.

Researchers in Kaspersky’s Global Research and Analysis Team (GReAT) immediately notified the suppliers, NetSarang, who quickly pulled down the compromised software and replaced it with an earlier clean version. NetSarang proved that responding fast to cyberattacks makes a difference. Kaspersky and NetSarang found only one infected payload – an excellent result given the product’s popularity.

Cleaner attack goes right to the top

CCleaner is a hugely popular system cleaner, downloaded more than two billion times. After a supply chain attack in September 2017, infected software was downloaded two million times.

Hackers attacked through a tiny backdoor. They encrypted all strings, making them harder to detect. Like the ShadowPad attack, hackers signed their malicious code with legitimate digital certificates.

These hackers wanted to get right to the top. They included a function in determining if the user had admin privileges. The attack would only continue if the user had access to the company’s Command and Control function.

Because the attack was highly selective, the full infection was downloaded only onto 40 computers. But the CCleaner infection’s victims included some of the biggest names in enterprise tech – Samsung, Fujitsu, Intel, Sony and Asus. This made it one of the most damaging and effective supply chain attacks discovered.

Hammering through automatic update functions

evolution of supply chain attacks ghost
Kaspersky researchers discovered the Operation ShadowHammer attack in January 2019. We found a suspicious file signed with a legitimate digital certificate from Asus. While distributed from Asus’s official server, the files contained a sneaky backdoor.

Supply chain attacks often target automatic update functions. At first, hackers planted Operation ShadowHammer’s malicious code in Asus’s live updater tool, but the mode of attack evolved over time.

Operation ShadowHammer targeted more than 400 computers, with multiple unique backdoored samples.

Asus was not the only target. Since our first discovery, we’ve identified several other cases, including digitally signed examples, from three other software businesses.

Hackers signed backdoors with different certificates and chains of trust in each attack.

Detection is better than cure

Detecting supply chain attacks is nuanced work.

Sometimes attacks don’t directly manipulate original code, with updates downloaded and executed only in computing memory.

Games are among the most attractive supply chain attack targets. Here, it’s harder to know whether malware is part of the software’s original functionality. For example, anti-cheating and IP protection mechanisms can trigger behavior analysis logics.

Malicious code in supply chain attacks is only a tiny portion of code in an executable file. It’s like trying to find a polar bear in a snowstorm. This is made harder by the valid code-signing certificates that often accompany the malicious code.

How can businesses defend against supply chain attacks?

Suppliers are softer targets than finished product vendors, partly because the final package is more extensive and complex.

From one simple backdoor in a single supplier, cybercriminals can damage multiple larger targets.

So what can businesses do about it?

1.      Use the best cybersecurity software

Lightweight security solutions prioritize speed over rigor, leaving the risk of being fooled by supposedly legitimate code-signing certificates or mistaking suspicious files for false positives.

Dedicated cybersecurity solutions do it better. A proven, corporate-grade security solution is essential for spotting and catching advanced targeted attacks. These analyze anomalies and give cybersecurity teams full visibility over their network, with an automated response.

2.      Hire the right team, and the red team

Businesses should hire highly skilled information security personnel, including security specialists, SOC (security operation center) analysts and ‘red teams.’

Red teams are the Devil’s Advocate. They force businesses to re-think cognitive biases, breaking down the groupthink that stops organizations from looking critically at their processes.

3.      Use threat modeling during software development

During software development, companies must create a threat model for their development infrastructure to identify and eliminate risks in advance. Access models should apply the Principle of Least Privilege (PoLP) to restrict the risk of malicious access.

4.      Carefully manage supplier relationships

Build trust that goes beyond traditional assumptions.

5.      Invest in response

As we saw with NetSarang’s rapid response to the ShadowPad attack, businesses must invest in response as well as protection. If you don’t have internal capacity, involve an incident response team to investigate an incident or suspicious activity.

Article published in 2019.

Threat intelligent news

Subscribe to Kaspersky’s latest threat intelligence research and reports

About authors

Alexander is Kaspersky’s Head of Heuristic Detection and Vulnerability Research team, responsible for improving the detection of malware, vulnerability assessments and other strategies to combat cybercrime. Alexander also leads Security Development Lifecycle (SDL) implementation and malware auto-processing projects including Sandbox.

Boris Larin is a Senior Malware Analyst in Kaspersky’s Heuristic Detection and Vulnerability Research team where he detects exploits using antivirus technologies. For the last decade he’s been exploring his passion for reverse engineering to recreate different architectures and systems. He also authors educational resources for Kaspersky Academy and write about zero-day exploits and commonly exploited software for infosec magazine Securelist.