On June 27, 2017, a destructive payload dubbed “NotPetya” by researchers, was deployed covertly using a legitimate software package employed by organizations operating in Ukraine. The attack was perpetrated using a mechanism to provide updates distributed by that vendor to their customers. While this particular attack dominated the news cycle in June, the same exact mechanism had been used to deploy other ransomware in mid-May. Similarly, this payload encrypted systems after receiving an update from the vendor, the resulting payload spread throughout Ukraine. Not long after this, a threat known as “XData” was identified; the private key was released on a forum with an obtuse message, “HERE IS PRIVATE.”

As the subsequent NotPetya attack was capable of self-replication using exploits released by The Shadow Brokers, the XData attack actually may have been a test run that was ultimately considered unsuccessful, because it lacked the reach that a self-propagating attack using the Shadow-Broker-released exploits would have. Attacks piggybacking on legitimate and accepted software packages are supply chain attacks, and they have been on the increase in recent months.

Much like social engineering, these supply chain attacks exploit a trust relationship between a software (or hardware) vendor and its customers. Supply chain attacks are often widespread, targeting the entire trusted organizations’ customer base, and they are not only growing in frequency, but also in sophistication. One recent attack combined supply-chain-style tactics and typosquatting. In mid-September, the Computer Security Incident Response Team Slovakia (SK-CSIRT) identified malicious software packages hiding in the Python Package Index known as PyPI, a software repository used by Python developers around the globe to load shared code libraries. The attack appears to have been used to conduct reconnaissance, collecting information about the system, user, and IP address of infected machines, on which one of a handful of malicious software repositories was installed. This attack was dependent on a developer mistyping popular library names during installation — for example, a legitimate library, urllib3, was spoofed as urllib. Once the misspelled package was installed, the attacker received information about that victim’s system and user.

Attacks leveraging supply chain tactics have been on the increase in 2017.

• In May, Handbrake, an open-source video conversion tool for Apple MacOS, was backdoored to distribute a remote access toolkit called Proton.
• Also in May, XData was distributed through the update mechanism of a popular Ukrainian software company.
• In June, NotPetya was distributed through the same mechanism as XData.
• In August, the so-called “ShadowPad” attack unfolded as several NetSarang products were backdoored, allowing the attacker to deliver a malicious payload to their customers; this payload used a date-based Domain Generating Algorithm (DGA).
• In September, it was revealed that an adware-removal tool called CCleaner was backdoored with a malicious downloader that had possible links to China-based adversaries; this attack also used a date-based DGA.
• Also in September, Citrix confirmed publicly that several builds of Citrix NetScaler ADC and Citrix Gateway Management Interface contained authentication bypass vulnerabilities.
• Again, in September, an unknown adversary delivered malicious packages through PyPi that were typosquatted.

Numerous state actors from a variety of geographic locations have demonstrated the capability and intention to conduct such supply chain attacks. In 2014, the actor tracked by CrowdStrike as ENERGETIC BEAR demonstrated the ability to affect the supply chain of critical infrastructure by targeting several companies whose products would likely be used by the energy sector. In those attacks, the actor bundled their “Havex” malware into software installers provided by the vendors to their customers, resulting in remote access to sensitive systems.

In recent months, CrowdStrike Falcon® Intelligence has identified potential overlap between some of the recent software supply chain attacks and Chinese nation-state adversaries. Since the beginning of 2017, Chinese threat actors have resumed their attacks against Western entities with what appears to be broader targeting and evidently, matured tradecraft. As threat actors across the globe — whether ideologues, affiliated with national programs or financially motivated — continue to mature, they will prey on the weakest link in the security chain. As recent events have demonstrated, that weak link may now be in the software supply chain.

Supply chain attacks are not new, however, the frequency with which they have been taking place are cause for concern. Unfortunately, there is no easy answer for defending against these types of attacks. Organizations need to understand what commercial and open source products they are using, and be aware of and prepared for potential attacks using legitimate software as a vector. Anomaly-based detection for endpoints and comprehensive visibility are essential for assessing the impact of these types of attacks and potentially stopping them.

Learn more about a comprehensive approach to protecting your endpoints: CrowdStrike Falcon®: The New Standard in Endpoint Protection.