Serious programs spread malware – The supply chain attack

M.Sc. Jan Hörnemann

Serious programs spread malware – The supply chain attack

Distributing malware to many devices is very difficult for criminals. Manipulated apps are blocked by the App Stores and malicious programs are intercepted by the antivirus program. That’s why attackers try to distribute malicious software by using serious programs, the so-called supply chain attack.

So the supply chain attack works

The goal of this attack is for attackers to hide their malicious code in a legitimate program. By doing so, they try to exploit the trust generated by the legitimate program in order to distribute the malicious code.

When a legitimate program is about to be updated, the malicious software hides itself and thus reaches many devices without attracting much attention.

To better understand the attack, the page Watchlist Internet gives a very good example: Imagine you order a cake in a well-known confectionery. On the day of pickup, the pastry chef suggests that you improve the cake with a few cherries for free. You accept this nice offer and agree with the confectioner that you will pick up the cake the next day.

During the night the attack takes place, as criminals manage to gain access to the pastry shop. The cherries that are now on your cake are secretly exchanged for spoiled cherries. You pick up the cake the next day as planned and neither you nor the confectioner suspects that the cherries are spoiled. You will only find this out after you have eaten the cake and it is therefore too late.

This example shows very well how the criminals exploit the trust of a serious program, in this case confectionery, so that the victim is not suspected.

The only place where the confectioner or the owner has made a mistake is in securing the cake. If we transfer this protection to the digital world, the program must be protected from unauthorized access.

One of the best known examples of a supply chain attack is the CCleaner, which distributed a malware in August 2017 and only became known in September that it was malware in the current update.

Protect your own “confectionery”

As explained in the detailed example, the attackers must first gain access to the network of the company that “owns” the legitimate program. For example, if we want to infect an Instagram update with our malware, we must gain access to the Facebook network.

This access is easy to gain and the past shows that the technical security works much better than the human one. The most common reasons for criminals to gain access to a network are phishing mails, social engineering or the use of foreign hardware.

These three attack vectors can all be traced back to the human level and can only be protected if the employees are trained. Well-designed encryption and the use of a firewall only helps until an attacker gets all the information thanks to phishing emails.

The best methods to train employees against the supply chain attack are live hacking events or seminars. But regular information about current fraud scams can also help to increase IT security.

Photo of author

M.Sc. Jan Hörnemann

Hello dear reader, my name is Jan Hörnemann. I am a TeleTrust Information Security Professional (T.I.S.P.) and have been dealing with information security topics on an almost daily basis since 2016. CeHv10 was my first hands-on certification in the field. With a Master of Science degree in Internet Security, I have learned about many different aspects and try to share them in live hacking shows as well as on our blog. In addition, I am active as an information security officer and have been qualified by TÜV for this activity (ISB according to ISO 27001)