The Age of the Supply Chain Attack
When your partners are your weak point, who do you trust?
The age of the supply chain attack is well and truly upon us, as demonstrated by Google recently. The search giant was forced to admit that attackers had managed to pre-install malware into the Android framework backdoor, which resulted in the malware seemingly being officially trusted by Google.
"In the Google Play app context, installation meant that [the malware] didn’t have to turn on installation from unknown sources and all app installs looked like they were from Google Play,” explained Lukasz Siewierski, from the Android security and privacy team, in a blog post. "The apps were downloaded from the C&C server and the communication with the C&C was encrypted through the same custom encryption routine using double XOR and zip. The downloaded and installed apps used the package names of unpopular apps available on Google Play. They didn’t have any relation to the apps on Google Play apart from the same package name."
The malware in question was the Triada malware, which was pre-installed on budget Android devices back in 2017 via the supply chain compromise. The main purpose of Triada was to install spam apps on a device that displays ads, which Triada collected the revenue from.
Siewierski explained that the infections came about because OEMs want to include features that aren’t part of the Android Open Source Project, such as face unlock, for example. The OEM might partner with a third-party that can develop the desired feature and send the whole system image to that vendor for development. “Based on analysis, we believe that a vendor using the name Yehuo or Blazefire infected the returned system image with Triada”, he wrote.
Google finished up by recommending that OEMs should ensure that all third-party code is reviewed and can be tracked to its source, and that any functionality added to the system image should only support requested features. Finally, the Google researcher promoted following good security practice in the form of performing a security review of a system image after adding third-party code.
The tale will come as little comfort to the enterprises that are trusting large mobile manufacturers to maintain security, of course. Indeed, the issue of attacks via the supply chain has become something of a trend of late, with AV firm Carbon Black noting that at least half of the attacks they tracked in the last quarter leveraged “island hopping,” where attackers are not only attempting to compromise an individual network, but the connected supply chains as well.
According to the latest quarterly Global incident response threat report from the firm, the industries most targeted by island hopping are financial (47 per cent), manufacturing (42 per cent) and retail (32 per cent). The main reason organisations are vulnerable to island hopping is a lack of visibility, which 44 per cent of respondents named as the top barrier to Incident Response (IR), up from 10 per cent the previous quarter.
This supply chain trend has been emerging particularly strongly in 2019, and shows no signs of weakening through the year. This is in part to do with the obvious economy of effort for attackers, but also due to the increasingly connected nature of business. Although the term “supply chain attack” appears to infer that only large, supply chain dependent companies such as traditional manufacturing companies and logistics providers would be at risk, this is no longer the case. Most digital companies rely on third-party vendors to supply part of their website code, from ad serving to social, payment processing and provision to CDNs, the modern enterprise is highly connected to a broad digital supply chain.
One other recent example is the re-emergence of supply chain attack specialists Magecart, which Trend Micro warned in January 2019 were delivering enterprise attacks through a compromised advertising supply chain. At that point, Trend Micro had identified around 300 e-commerce websites providing ticketing, touring and flight booking services that had been infected with Magecart malware. The attackers have since broadened operations to include high-volume media and entertainment websites that work with third-party advertising vendors.
In short, the age of de facto enterprise trust seems to be heavily under threat, and is likely to remain that way. Taking a best practice approach to your enterprise security might not solve the wider issue immediately, but should improve trust in the longer term. When did you last security test your corporate site? Join 40 million others and test it for free today!