Kaspersky Labs unveils another supply-chain threat

While the security vendor has not revealed all the details just yet, a new cybersecurity incident demonstrates how dangerous it can be to focus too acutely on a single threat in the ecosystem.

This is the trend we’ve been seeing in recent months. The rhetoric is so narrowly directed towards China and alleged puppets of the Chinese Government, few are able to talk about anything else when security is raised as a topic. With this incident, Kaspersky Labs has demonstrated threats are everywhere and nefarious actors are completely impartial when it comes to exploiting vulnerabilities.

“A threat actor modified the ASUS Live Update Utility, which delivers BIOS, UEFI, and software updates to ASUS laptops and desktops, added a back door to the utility, and then distributed it to users through official channels,” Kaspersky said in a blog entry.

The trojanized utility was signed with a legitimate certificate and was hosted on the official ASUS server dedicated to updates, with Kaspersky estimating one million users could be affected by the malware. The attack is similar to the CClearner incident, a remarkably sophisticated attack.

Here, Chinese speaking actors infiltrated Piriform’s compilation environment, the company responsible for developing CCleaner, software used for cleaning potentially unwanted files and invalid Windows Registry entries. This seemed to be an example of a company believing itself too unimportant to be a target, but because its software is used by other companies it was a useful way to gain entry.

The malware was distributed to just over two million users, though at this stage it only analysed the activities of the users. The first script was only used to identify 40 users who were relevant for the second-stage of the attack. The second stage was a similar targeting activity, whittling the target pool down to four, all of whom worked for high profile tech companies and IT suppliers. Those four were delivered tailored build of the ShadowPad malware, creating a backdoor to certain employees of high-profile companies.

In the ASUS example, the company has been informed and the vulnerability corrected. Details of this attack are very thin on the ground, though it has been verified by other security experts, Kaspersky Labs is waiting for the next big cybersecurity conference to unveil the full paper.

This does validate the European approach to dealing with the threat of espionage in the 5G era. A culture of impartial suspicion is the most logical and reasoned approach to risk management.

While some have been quick to ban Huawei and other Chinese vendors from infrastructure deployment, it does not solve the problem. It is a way to appease the masses, giving politicians a chance to point at the bans and promise safety.

Of course, the governments who have banned Huawei will still be on the look out for nefarious actors, but the bans simply create a false sense of security for those who are not suitably educated in the dangers of the digital economy. Effectively, the majority of society.

In the ASUS and CCleaner incidents, hackers attacked innocent organizations which many people would never consider a risk. The aim was to penetrate the supply chain somewhere suspicion wouldn’t be aroused, allowing the threat to climb through the virtual maze and find the desired target.

“Supply chain risk is one of the biggest challenges in cyber today. Tech companies issuing remote patching and remote updates to customers are increasingly targeted because of their broad, trusted relationships with their customers,” said Jake Olcott, VP Government Affairs at BitSight. “Companies must conduct more rigorous diligence and continuously monitor these critical vendors in order to get a better handle on this risk.”

The approach to security across Europe seems to be taking into account these risks. Yes, China remains under scrutiny, but by escalating the concept of risk throughout the ecosystem, threats are being mitigated everywhere. It is very easy to blame a single company or country, but it is not the most sensible approach to take.

Supply chains in the digital ecosystem are incredibly complex, bringing in different vendors from all walks of life. Some of these will be from Asian countries and some will be SMEs in South Dakota, but the strength of their own security procedures will be incredibly varied also. It only takes one weak link to compromise the entry chain.