A routine software update recently turned into what Kaspersky Labs is calling “one of the biggest supply chain incidents ever.”
More than a million people automatically downloaded an update from ASUS that allowed hackers to infiltrate their systems and encrypted data.
“A threat actor modified the ASUS Live Update Utility, which delivers BIOS, UEFI, and software updates to ASUS laptops and desktops, added a back door to the utility and then distributed it to users through official channels,” said Kaspersky.
This attack is part of the growing trend of supply chain attacks.
“Supply chain attacks, which exploit third-party services and software to compromise a final target, take many forms, including hijacking software updates and injecting malicious code into legitimate software,” says Symantec in their 2019 Internet Security Threat Report.
“Developers continued to be exploited as a source of supply chain attacks,” they say.
Attackers do this by stealing credentials for version control tools or by compromising third-party libraries that have been integrated into larger projects.
Symantec found that supply chain attacks were up 78 percent from the previous year.
Supply chain attacks can take several forms, including:
These types of attacks can occur over long stretches of time or instantaneously.
For example, a corrupt download of the popular PC utility CCleaner was downloaded more than 2.27 million times and hackers took six months to reveal the extent of their infiltration.
Meanwhile, Wired described the attack on NotPetya: “Within half an hour, Maersk employees were running down hallways, yelling to their colleagues to turn off computers or disconnect them from Maersk’s network before the malicious software could infect them, as it dawned on them that every minute could mean dozens or hundreds more corrupted PCs.”
Supply chain attacks are admittedly challenging to defend against because they’re hard to detect compared to obvious attacks.
In other words, Costin Raiu, director of the global research and analysis team at Kaspersky, tells Consumer Reports that ASUS users likely didn’t think twice about it because “this appeared to be a legitimate software update.”
However, there are some steps you can take.
First, use reputable suppliers that have been verified within your industry. Supply chain managers and vendors must trust each other about the data in the systems.
Second, control access to this data. Security requirements should be set for each level of access. One of the ways hackers break in is through loose network protocols, open server infrastructures, and unsafe coding practices.
Finally, develop a program to assess the risk of your vendors and of your supply chain to determine appropriate security controls.
Make sure to audit these controls on a regular basis to help reduce the risk of a supply chain attack on your business.
