A new software supply chain attack excavate by Windows
Defender Advanced Threat Protection appeared as an
uncommon multi-tier case. Anonymous attackers
compromised the engaged infrastructure in place between the
dealer of a PDF editor application and one of its software dealer
partners, making the app’s authorized installer the ingenious
carrier of a harmful payload. The attack seemed like just
another example of how cybercriminals can secretly enable
malware in entrance using everyday normal processes.
The attackers legitimatize the campaign using Cryptocurrency
miners - going as far as using two alternatives, for good
measure – adding to an enlarging list of malware attacks that
install coin miners.
Our guess is based on proof from Windows Defender ATP that
the compromise was active between January and March 2018
but was very limited in nature. Windows Defender ATP notice
harmful activity on a handful of targeted computers. The
attack on these machines is automatically resolved by
Automated Investigation.
While the impact is little, the attack highlighted two threat
trends:
1) The increasing frequency of attacks that use software
supply chains as threat vector.
2) The escalating use of cryptocurrency miners as primary
means for monetizing malware campaigns.
This new supply chain did not emerge to involve nation-
state attackers or advanced attackers but appears to be
instigated by petty cybercriminals trying to gain from coin
mining using hijacked computing resources. This is proof
that software supply chains are becoming a dangerous
area and a preferred point-of-entry even by common
cybercriminals.
Guidance for software vendors and developers
Software vendors and developers need to confirm they
produce safe as well as useful software and services. To do
that, we recommend:
Maintain a highly protective build and update
infrastructure.
1) Quickly apply security patches for OS and
software.
2) Execute compulsory integrity controls to protect
only trusted tools run.
3) Require multi-factor verification for admins.
Build protective software updaters as part of the
software development lifecycle.
1) Need SSL for update channels and implement
certificate pinning.
2) Sign everything, including configuration files,
scripts, XML files, and packages.
3) Examine for digital signatures, and don’t let the
software updater accept generic input and
commands.
Develop an incident response process for supply
chain attacks.
Reveal supply chain incidents and inform customers with
accurate and timely information
Defender Advanced Threat Protection appeared as an
uncommon multi-tier case. Anonymous attackers
compromised the engaged infrastructure in place between the
dealer of a PDF editor application and one of its software dealer
partners, making the app’s authorized installer the ingenious
carrier of a harmful payload. The attack seemed like just
another example of how cybercriminals can secretly enable
malware in entrance using everyday normal processes.
The attackers legitimatize the campaign using Cryptocurrency
miners - going as far as using two alternatives, for good
measure – adding to an enlarging list of malware attacks that
install coin miners.
Our guess is based on proof from Windows Defender ATP that
the compromise was active between January and March 2018
but was very limited in nature. Windows Defender ATP notice
harmful activity on a handful of targeted computers. The
attack on these machines is automatically resolved by
Automated Investigation.
While the impact is little, the attack highlighted two threat
trends:
1) The increasing frequency of attacks that use software
supply chains as threat vector.
2) The escalating use of cryptocurrency miners as primary
means for monetizing malware campaigns.
This new supply chain did not emerge to involve nation-
state attackers or advanced attackers but appears to be
instigated by petty cybercriminals trying to gain from coin
mining using hijacked computing resources. This is proof
that software supply chains are becoming a dangerous
area and a preferred point-of-entry even by common
cybercriminals.
Guidance for software vendors and developers
Software vendors and developers need to confirm they
produce safe as well as useful software and services. To do
that, we recommend:
Maintain a highly protective build and update
infrastructure.
1) Quickly apply security patches for OS and
software.
2) Execute compulsory integrity controls to protect
only trusted tools run.
3) Require multi-factor verification for admins.
Build protective software updaters as part of the
software development lifecycle.
1) Need SSL for update channels and implement
certificate pinning.
2) Sign everything, including configuration files,
scripts, XML files, and packages.
3) Examine for digital signatures, and don’t let the
software updater accept generic input and
commands.
Develop an incident response process for supply
chain attacks.
Reveal supply chain incidents and inform customers with
accurate and timely information
No comments:
Post a Comment