On June 27, 2017, a destructive payload dubbed “NotPetya” by researchers, was deployed covertly using a legitimate software package employed by organizations operating in Ukraine. The attack was perpetrated using a mechanism to provide updates distributed by that vendor to their customers. While this particular attack dominated the news cycle in June, the same exact mechanism had been used to deploy other ransomware in mid-May. Similarly, this payload encrypted systems after receiving an update from the vendor, the resulting payload spread throughout Ukraine. Not long after this, a threat known as “XData” was identified; the private key was released on a forum with an obtuse message, “HERE IS PRIVATE.”
As the subsequent NotPetya attack was capable of self-replication using exploits released by The Shadow Brokers, the XData attack actually may have been a test run that was ultimately considered unsuccessful, because it lacked the reach that a self-propagating attack using the Shadow-Broker-released exploits would have. Attacks piggybacking on legitimate and accepted software packages are supply chain attacks, and they have been on the increase in recent months.
Much like social engineering, these supply chain attacks exploit a trust relationship between a software (or hardware) vendor and its customers. Supply chain attacks are often widespread, targeting the entire trusted organizations’ customer base, and they are not only growing in frequency, but also in sophistication. One recent attack combined supply-chain-style tactics and typosquatting. In mid-September, the Computer Security Incident Response Team Slovakia (SK-CSIRT) identified malicious software packages hiding in the Python Package Index known as PyPI, a software repository used by Python developers around the globe to load shared code libraries. The attack appears to have been used to conduct reconnaissance, collecting information about the system, user, and IP address of infected machines, on which one of a handful of malicious software repositories was installed. This attack was dependent on a developer mistyping popular library names during installation — for example, a legitimate library, urllib3, was spoofed as urllib. Once the misspelled package was installed, the attacker received information about that victim’s system and user.
Attacks leveraging supply chain tactics have been on the increase in 2017.
- In May, Handbrake, an open-source video conversion tool for Apple MacOS, was backdoored to distribute a remote access toolkit called Proton.
- Also in May, XData was distributed through the update mechanism of a popular Ukrainian software company.
- In June, NotPetya was distributed through the same mechanism as XData.
- In August, the so-called “ShadowPad” attack unfolded as several NetSarang products were backdoored, allowing the attacker to deliver a malicious payload to their customers; this payload used a date-based Domain Generating Algorithm (DGA).
- In September, it was revealed that an adware-removal tool called CCleaner was backdoored with a malicious downloader that had possible links to China-based adversaries; this attack also used a date-based DGA.
- Also in September, Citrix confirmed publicly that several builds of Citrix NetScaler ADC and Citrix Gateway Management Interface contained authentication bypass vulnerabilities.
- Again, in September, an unknown adversary delivered malicious packages through PyPi that were typosquatted.
impact of these types of attacks and potentially stopping them. Learn more about a comprehensive approach to protecting your endpoints: CrowdStrike Falcon®: The New Standard in Endpoint Protection.