Microsoft Annual Security Report Highlights Surge in Supply Chain Attacks
The newly released Microsoft Security Intelligence Report revealed that over the past few years, the increased number of supply chain attacks had become a primary source of concern in many IT departments.
The Microsoft Security Intelligence Report Volume 24found that several cyberattacks were detected using compromised software supply chains in 2018. These supply chain attacks, Microsoft said, have affected a wide range of software and targeted organizations in different geographic locations and sectors.
The Microsoft report compiled 6.5 trillion threat signals and was based on research and real-world experiences from thousands of security researchers and responders worldwide for the period of January 2018 to December 2018.
What Is Supply Chain Attack?
In a supply chain attack, an attacker maliciously makes changes to the development or update process of a legitimate software publisher. If successful, the attacker can incorporate the malicious component into the legitimate software and get this distributed to the software’s userbase.
Detecting a compromised software is often difficult as it’s often signed and certified by the software vendor and on its face value may give no indication that something is wrong.
The Petya ransomware outbreak in June 2017 is an example of a supply chain attack. According to Microsoft, the first infections of the Petya ransomware outbreak was first observed on June 27, 2017 in Ukraine, where more than 12,500 computers were infected. The infection then spread to other 64 countries, including the U.S., Belgium, Brazil, Germany and Russia.
Microsoft traced the initial infections of the June 2017 Petya ransomware version to the legitimate updater process of MEDoc, a popular tax accounting software in Ukraine. Microsoft said MEDoc’s update (EzVit.exe) executed a malicious command-line matching the exact Petya, also known as NotPetya, attack pattern on June 27 around 10:30 a.m. GMT.
The CCleaner malware in September 2017 is another example of a supply chain attack. CCleaner is a software that’s designed to delete unwanted files from a computer. On September 18, 2017, Piriform, the company behind CCleaner, acknowledged that 2 versions of its software were illegally modified before they were released to the public.
According to Piriform, the malicious code inserted by the attacker or attackers collects information about the victim’s computer, including list of installed software, whether the process is running with administrator privileges or whether it’s a 64-bit system or not. Piriform added that the harvested information was encrypted and sent to an external IP address, apparently controlled by the attackers.
The compromise of VestaCP, a hosting control panel solution, in late 2018 is another example of a supply chain attack. According to VestaCP, its infrastructure server was hacked enabling the attacker or attackers to change all installation scripts and in the process harvesting admin passwords of the servers of VestaCP’s userbase. The attackers then used the compromised servers of VestaCP’s userbase to launch distributed denial-of-service (DDoS) attacks.
Beyond Software Supply Chain Attack
Unsecured cloud objects, cloud services and cloud infrastructure can be unexpected entry points of cyberattacks. “The ability of supply chain attacks to undermine trust is amplified and made even more complex in the cloud,” Microsoft in its Security Intelligence Report Volume 24 said.
The collective 17 malicious container images stored on Docker Hub as reported by Kromtech Security Centerin June 2018 is an example of a supply chain attack in the cloud. Kromtech said these 17 malicious container images, which contained malicious code that secretly installs a software that mines the cryptocurrency Monero on the victims’ computers, were downloaded more than 5 million times and used by unsuspecting administrators and users, earning the attacker or attackers 544.74 Monero, which was valued at US$ 90,000 at the time of the report of Kromtech.
Docker Hub is a cloud-based repository service provided by Docker for finding and sharing container images. As defined by Docker, container image is “a lightweight, standalone, executable package of software that includes everything needed to run an application: code, runtime, system tools, system libraries and settings.”
The breached of StatCounter, a leading web analytics platform, in November 2018 is another example of a supply chain attack in the cloud. StatCounter offers a service similar to Google Analytics, allowing webmasters to gather statistics on their visitors. On its website, StatCountersaid it has more than 2 million member sites and it computes stats on more than 10 billion page views per month.
In gathering statistics on their site visitors, webmasters add an external JavaScript tag incorporating a piece of code from StatCounter into each webpage. ESETreported that on November 3, 2018 an attacker or attackers compromised the script in StatCounter, which then allowed attackers to inject a malicious script in websites that use StatCounter.
The malicious code incorporated by the attackers on StatCounter hijacks any Bitcoin transactions made through the web interface of the cryptocurrency exchange Gate.io. The malicious code, in particular, automatically replaces the destination Bitcoin address with an address belonging to the attackers.
Cybersecurity Best Practices
There’s no single solution for supply chain attacks, whether software-based or cloud-based attacks. According to Microsoft, organizations need to “build preventative protection and post-breach detection of supply chain attacks from compromised hardware and software suppliers, vendors and acquisitions, open source software suppliers, as well as cloud services and infrastructure suppliers.”
Need help security your infrastructure and data?
Our IT and security experts are a phone call away. Call today (416) 920-3000 or get more details.