Supply Chain Attacks Rely on Trusted Relationships
How often have you wanted to download an application to help you do your job only to find your computer is locked down by the IT team? Annoying as it may be, it enforces security. And for those of you allowed to download apps, a mantra often touted by the IT team sounds like this: “Only download trusted applications.” September saw another security incident when the widely trusted computer clean-up tool CCleaner appeared in the news because it had been used to deliver a malware payload.
CCleaner is a tool for consumers however Avast’s Threat Labs indicated in their blog from September 25, that the attack was intended to deliver an Advanced Persistent Threat (APT) attack to specific high-tech companies.
When trusted tools become a delivery mechanism for malware
On this occasion hackers managed to insert a backdoor into the updates to the application with a potential reach of millions of computers. The payload was designed to gather information about the computer such as name of computer, list of installed software, running processes, MAC addresses for the first three network adapters and if the computer had Administrator privileges. After information was gathered it was then instructed to do a call back to a command and control center (C&C). The next step was to trigger a second payload to potentially execute some malicious code to the hacker’s target. These types of supply chain attacks are becoming more and more frequent. Summer 2017 has seen a notable uptick with NotPetya using MeDoc, and Shadowpad using Netsarang. These types of attacks break all the models, they pass security checks and sometimes patching is the attack vector.
From an enterprise lens, breaches are not going away. This latest breach was actually discovered through a network monitoring system that identified odd communication at the application layer. Specifically, when the malware wanted to do a call back to the C&C. Without network traffic visibility this attack could have gone unmonitored for months. And with the increasing complexity of these attacks, Zero-days are much harder to defend by traditional means. Sometimes even trusted applications can be the downfall of security, and we must be ever vigilant in our monitoring to both protect businesses and consumers.
Click here to learn more about APCON’s network visibility and security solutions.