Kaspersky Labs unveils another supply-chain threat

While the security vendor has not revealed all the details just yet, a new cybersecurity incident demonstrates how dangerous it can be to focus too acutely on a single threat in the ecosystem.

This is the trend we’ve been seeing in recent months. The rhetoric is so narrowly directed towards China and alleged puppets of the Chinese Government, few are able to talk about anything else when security is raised as a topic. With this incident, Kaspersky Labs has demonstrated threats are everywhere and nefarious actors are completely impartial when it comes to exploiting vulnerabilities.

“A threat actor modified the ASUS Live Update Utility, which delivers BIOS, UEFI, and software updates to ASUS laptops and desktops, added a back door to the utility, and then distributed it to users through official channels,” Kaspersky said in a blog entry.

The trojanized utility was signed with a legitimate certificate and was hosted on the official ASUS server dedicated to updates, with Kaspersky estimating one million users could be affected by the malware. The attack is similar to the CClearner incident, a remarkably sophisticated attack.

Here, Chinese speaking actors infiltrated Piriform’s compilation environment, the company responsible for developing CCleaner, software used for cleaning potentially unwanted files and invalid Windows Registry entries. This seemed to be an example of a company believing itself too unimportant to be a target, but because its software is used by other companies it was a useful way to gain entry.

The malware was distributed to just over two million users, though at this stage it only analysed the activities of the users. The first script was only used to identify 40 users who were relevant for the second-stage of the attack. The second stage was a similar targeting activity, whittling the target pool down to four, all of whom worked for high profile tech companies and IT suppliers. Those four were delivered tailored build of the ShadowPad malware, creating a backdoor to certain employees of high-profile companies.

In the ASUS example, the company has been informed and the vulnerability corrected. Details of this attack are very thin on the ground, though it has been verified by other security experts, Kaspersky Labs is waiting for the next big cybersecurity conference to unveil the full paper.

This does validate the European approach to dealing with the threat of espionage in the 5G era. A culture of impartial suspicion is the most logical and reasoned approach to risk management.

While some have been quick to ban Huawei and other Chinese vendors from infrastructure deployment, it does not solve the problem. It is a way to appease the masses, giving politicians a chance to point at the bans and promise safety.

Of course, the governments who have banned Huawei will still be on the look out for nefarious actors, but the bans simply create a false sense of security for those who are not suitably educated in the dangers of the digital economy. Effectively, the majority of society.

In the ASUS and CCleaner incidents, hackers attacked innocent organizations which many people would never consider a risk. The aim was to penetrate the supply chain somewhere suspicion wouldn’t be aroused, allowing the threat to climb through the virtual maze and find the desired target.

“Supply chain risk is one of the biggest challenges in cyber today. Tech companies issuing remote patching and remote updates to customers are increasingly targeted because of their broad, trusted relationships with their customers,” said Jake Olcott, VP Government Affairs at BitSight. “Companies must conduct more rigorous diligence and continuously monitor these critical vendors in order to get a better handle on this risk.”

The approach to security across Europe seems to be taking into account these risks. Yes, China remains under scrutiny, but by escalating the concept of risk throughout the ecosystem, threats are being mitigated everywhere. It is very easy to blame a single company or country, but it is not the most sensible approach to take.

Supply chains in the digital ecosystem are incredibly complex, bringing in different vendors from all walks of life. Some of these will be from Asian countries and some will be SMEs in South Dakota, but the strength of their own security procedures will be incredibly varied also. It only takes one weak link to compromise the entry chain.

Security discussion needs to be bigger than Huawei – Vodafone UK CTO

Huawei is an obvious risk when you are assessing the vendor landscape, but to ensure supply chain resilience and integrity, focusing too narrowly on one company poses a bigger risk, according to Vodafone.

It might be easy to point the finger at China, but according to Vodafone UK CTO Scott Petty, this is a dangerous position to take. Despite a lack of evidence to suggest backdoors are being built into Huawei products, the world is determined to find one, but in reality, there isn’t a single company in the vendor ecosystem which can justifiably state they are 100% secure. This is the world we are living in; risk is everywhere.

“The discussion about Huawei is all managing the risk appropriately,” Petty said at a briefing in Central London.

Risk is a big topic at Vodafone UK right now, and this is clear when you look at how the vendor ecosystem is being managed.

On the radio side of the network, of the 18,000 base stations Vodafone has around the country, Huawei equipment accounts for 32% of them, Nokia 12% and Ericsson taking the remainder. Interestingly enough, Nokia equipment is being phased out in favour of Ericsson. For transmission, this is split between Juniper, Cisco and Ciena, while Cisco is responsible for the core. With this blend of vendors, and appropriate security gateways between each layer of the network, Petty feels Vodafone is managing the risk very appropriately.

And while some might suggest having this much exposure to Huawei might be a negative, Petty argues radio is such low risk it shouldn’t dictate play. You have to take into consideration the risk/benefit equation.

When assessing risk, Vodafone (working with the National Cyber Security Centre) considers two possible scenarios. Firstly, what is the risk of a nefarious actor leaching data from the network, and secondly, taking down the network. On the radio side of things, the exposure is very low.

Firstly, Vodafone has 18,000 base stations throughout the UK. Should one of these base stations be compromised, only the traffic going through that base station would be at risk. This will be a fraction of the total, devices will be handed off to other base stations as people move around, while the clear majority of internet traffic is encrypted nowadays. The likelihood of a nefarious actor trying to bleed valuable insight in this manner is low.

Secondly, even if one of these base stations is taken down by the external wrong-doer, this is only one of 18,000 base stations. To have a material impact on Vodafone’s network, hundreds or even thousands would have to be impacted simultaneously. This is not inconceivable, but highly unlikely. As Petty mentioned, its all about evaluating and minimizing risk.

This is where the discussion becomes incredibly complicated. Huawei is one of the leading names (if not the leader) in the radio segment, ignoring such a vendor is a difficult decision to make as a technologist; you always want to use best in class.

For transmission, another area Huawei would be considered a leading name, the risk has been identified as medium. You would still need a lot of compute power to crack the encryption software, but Vodafone have decided to steer clear of Chinese vendors here.

Finally, onto the core, the most important part of the network. Petty pointed to O2’s issues last year, where a suspect Ericsson node effectively killed the entire network for a day, to demonstrate the importance of this component. Cisco is the vendor here, but this leads us onto the dangers of a such a narrow focus on security.

When looking for signs of a telco vendor assisting a government for intelligence activities, there is arguably only one piece of concrete evidence to support such claims. Edward Snowden produced this evidence, proving Cisco was aiding the NSA for its own spying agenda. This is the reason we suspect the US is so convinced China is spying on the rest of the world; the US government is doing the same thing and therefore knows it is technologically possible.

We are of course not accusing Cisco of aiding the US government in this manner at this moment, but such is the sophistication and technological capabilities of those on the dark web, no company should consider themselves 100% secure. They have their own supply chains which could be vulnerable at some point. The complexities of this ecosystem mean nothing is 100% secure, therefore it comes down to risk assessment, and also the mitigation of risk through layers of security, gateways and encryption.

For Petty, the establishment of Huawei’s European cyber-security centre is a step in the right direction, though he would want the European Union to play an active role in its operations and for the net to be cast wider, considering all vendors. As mentioned before, too much of a narrow focus on one area heightens the risk in others.

However, the talk of a Huawei ban would be a disaster for everyone involved.

“We don’t think a complete Huawei ban would be a proportionate response,” said Helen Lamprell, Vodafone UK’s General Counsel & External Affairs Director.

If risk is appropriately managed and mitigated, business can continue as usual. Policy decision makers have to realise there is no such thing as 100% secure. A broad-sweeping ban on Huawei would be disastrous not only for Vodafone UK, but everyone in the connected economy.

Firstly, you have to think of the cost of removing all Huawei equipment. This would cost hundreds of millions and take a considerable amount of time. This would delay the introduction of 5G and fundamentally undermine the business case for ROI. It could set 5G back years in the UK, not only for Vodafone but the whole industry.

The supply chain review is currently working its way through the red maze of UK government, and while the certainty needs to arrive sooner rather than later, getting the review right is better than speed.

The message from Vodafone this morning was relatively clear and simple; the Huawei risk can be managed, but an outright ban would be disastrous.