ShadowHammer looks to be a trojan operation rather than an isolated attack
ASUS MAY HAVE BEEN LEFT feeling a bit silly after malware was sneaked onto its machines via a supply-chain attack dubbed ShadowHammer, but it turns out it wasn’t the only company affected.
Security firm Kaspersky, which discovered the initial ShadowHammer attack, found that at least six other organisations had been targeted by the cybercrims behind the supply-chain attack.
These companies are Asian firms, including the likes of game maker Electronics Extreme and South Korean firm Zepetto; not quite household names like Asus.
In the case of Asus, the attack involved the compromising of the company’s Live Updater tool and subsequently stuffing it with a Trojan malware strain. When activated on a users’ laptop, the digital nasty would connect to a control and command server where it would then receive instructions to download and execute other malware payloads.
As the infecting of the Live Updater tool happened on the supply chain side and gained legitimate certificates, it was hard to detect and block.
A very similar process of supply-chain infiltration was found with the six other infected companies; other malware samples detected were also signed with valid certificates and employed a similar algorithm, used to calculate API function hashes, to the Asus attack.
However, there were differences in how the infection occurred. Electronics Extreme, Zepetto, and Innovative Extremist, the other company Kaspersky mentioned by name, are all game developers, and Kaspersky reckons they got infected through the use of malware ridden development tools.
“In the non-Asus cases, the malware was seamlessly integrated into the code of recently compiled legitimate applications,” said Kaspersky’s researchers. “Our deep search revealed another malware injection mechanism, which comes from a trojanized development environment used by software coders in the organisation.”
Kaspersky has yet to figure out if the infection stemmed from a video game company installing the trojanized development software or if the code was deployed after the developer’s machine was compromised.
“While we could not identify how the attackers managed to replace key files in the integrated development environment, this should serve as a wakeup call to all software developers,” warned the researchers, who suggested the developers question where their development software comes from, if the delivery process of IDE distributions is secure, and when the last time the integrity of their development software was checked.
All this is an indicator that supply-chain attacks are difficult things to deal with, but sadly they don’t appear to be going away anytime soon.
“While attacks on supply-chain companies are not new, the current incident is a big landmark in the cyber attack landscape,” Kaspersky’s clever folks concluded. “Not only does it show that even reputable vendors may suffer from compromising of digital certificates, but it raises many concerns about the software development infrastructure of all other software companies.”
If you’re a developer, it’s time to get checking your tools. And if you’re an average Joe, best hope that your laptop maker is scrutinising its supply chain and plugging any leaks. µ
Source : Inquirer