The Supply Chain; aka the Hacker Food Chain

Kevin Townsend 13 May 2019

Could you be the weak link for hackers?

In December 2018, Chinese nationals Zhu Hua and Zhang Shilong were indicted by the US Department of Justice for involvement with the APT10 hacking group. The APT epithet stands for Advanced Persistent Threat. It is used to specify an elite hacking group, usually one that operates with the endorsement of, or direct employment by, a nation state. These are not run-of-the-mill cybercriminals.

One of the charges levied against Hua and Shilong was involvement in what the Justice Department called the ‘MSP Theft Campaign’. This is better known among security researchers as Cloud Hopper. Managed Service Providers (MSPs) were compromised, but they were not the primary targets – it was their customers that APT10 wished to hack. The MSPs were phished, and their customers’ credentials stolen; giving the APT10 group unhindered access to the real targets via the MSPs’ authorized access details.

This type of attack is known as a ‘supply chain attack’. The true target isn’t attacked directly. Rather its generally less well-defended supply chain – in this case the MSPs – are targeted first.

You may ask yourself, what have state-level hackers and international cyber-espionage to do with me? Possibly – but not necessarily – nothing. But it is important to understand the concept of supply chain attacks and how they could affect us. We all need to know where in the hackers’ food chain we live.

What is a supply chain?

A supply chain is a chain of dependencies in goods or services. If I shop at Wal-Mart, Wal-Mart is in my supply chain. This chain links back to the wholesalers who supply Wal-Mart, and further back to the farmers who supply the wholesalers.

In the tech world, my computer supplier is part of my supply chain – and the manufacturers who develop the parts put together by my supplier are parts of its supply chain. The same applies to software: the developer is part of my chain, and the producers of open source routines used by the developer are parts of its supply chain.

In the other direction, I am part of the supply chain for the company that employs me. That company is part of the supply chain for other companies it supplies. If I sell things, I am the supply chain for my customers.

And so it goes on. Society is a complex interaction of complex supply chains. The problem is that in today’s connected world, suppliers often have online access to the supplied.

In general, the bigger the company, the greater the attraction for hackers – but at the same time, the better it will be defended. This doesn’t happen with the smaller companies that make up the supply chain. Smaller companies are less well-defended; and individuals with their home computers are the poorest defended of all.

Without realizing it, I could be part of a supply chain that links from me to my employer, and from my employer to some of the largest – or even critical – organizations in the country.

An example of a supply chain attack

The hack that focused the world’s attention on supply chain attacks was that against Target Corporation in 2013. On December 27, Target warned that up to 40 million customer bank cards may have been compromised. Two weeks later it warned that another 70 million customers may have personal information stolen.

But although Target was the primary victim, the attackers gained access through its supply chain – specifically, its HVAC supplier, Fazio Mechanical Services (FMS). Because FMS supplied services to Target, the company maintained a record of network access credentials to Target’s internal systems. While Target’s security was too strong for a direct attack, FMS did not have such effective measures in place; once hackers were able to breach the HVAC supplier, they were able to use these credentials to bypass Target’s security.

Since then there have been hundreds of different and successful supply chain attacks. For example, even the destructive NotPetya (aka Petna) ‘ransomware’ outbreak of 2017 (sometimes described as the world’s most expensive cyber incident ever) can be tied to the supply chain. The attackers first compromised a Ukrainian accounting firm (M.E.Doc) and poisoned the software it supplied to many leading Ukrainian companies. Those companies downloaded the software containing NotPetya, and from there it spread around the world.

Home users and the online supply chain

We all have our own supply chains, and our own weaknesses to it. For example, in July 2018, attackers compromised a PDF editor installation process so that users installing the app also installed a crypto miner. The app itself was not compromised, but the supply chain to it was. Although antivirus products prevented a major outbreak, this is a good example of supply chain infection. The malware installer was being distributed with a PDF-editing application. The application itself was not compromised, but rather a font package service within the editor. This shows that the supply chain can extend quite far; from a service, to a software component, to an installation process, and finally to… us.

In the next few sections, we’ll look at some examples and frequently used methods to contaminate our own supply chains in order to compromise us – or others through us.

Content management supply chain

Supply chain attacks are most effective when they find targets with the broadest reach possible. It is no surprise, then, that the content management system (CMS) software that underlies blogging software is an attractive target. No other type of web service is so widely used by all levels of users, from individuals producing and publishing personal blogs to large companies providing e-commerce services. This is especially true with the world’s most-used CMS, WordPress, which has its own localized supply chain in the form of its plugins. These are both professional and amateur user-created modules that can be mixed and matched to allow users to tailor their website to their own specific purposes.

In the beginning of 2018, WordPress started to see a surge in supply chain attacks exploiting the WordPress plugin infrastructure. Hackers could either create a malicious plugin masquerading as a valuable feature, which would then go on to harvest data or spread malware to users; or they could compromise an already-existing plugin with malicious code.

If a website is compromised through its supply chain, every future visitor to that website can potentially be compromised.

Foreign government-inspired attacks on the supply chain

In 2017, Russian hackers targeted the US power grid. Of course, this is a too big and well-secured target to attack directly, so the hackers went after the ground-level employees of small businesses providing support to the power grid. With phishing emails, malware attacks and malicious advertisements, the attackers slowly built a library of compromised credentials, allowing them more and more access to businesses closer to the supply grid.

Fortunately, this attack never made it so far as to cause wide-scale power problems, but along the way the hackers obtained significant amounts of personal data from regular users, working at the small businesses and support companies. Even when you’re not the ultimate goal of a supply chain attack, it can still cause great harm to privacy and security.

It is an attractive proposition for attackers to target us through the products we buy. In 2018, Bloomberg published a report claiming that products manufactured for companies including Amazon and Apple had been compromised by tiny microchips attached to motherboards during motherboard manufacture in China.

Although there’s a lot of doubt about whether this actually happened, it’s an alarming possibility to consider. Not only would such a chip allow the Chinese government to monitor all personal and financial data passing through these servers, but hackers would be able to alter the functionality and performance of the servers remotely. It demonstrates how powerful supply chain attacks can be, and how something so distant – geographically and technologically – as low-level hardware can easily reach us as consumers.

It is merely the possibility that this could happen – there is no actual proof – that underlies the banning of many Chinese-manufactured Huawei products by many western countries. In a similar vein – and again with no actual proof – U.S. federal agencies are banned from using Kaspersky products for fear that that the Russian government could compromise computers that use Kaspersky software.

Criminal and other attacks on our supply chain

It isn’t just foreign nations that threaten our hardware and software supply chain. Our Android devices are threatened by criminal malware that infiltrates the Google Play Store and threatens the supply of what should be trusted apps. In February 2019, Avast discovered three ‘selfie’ apps in the Play Store that delivered adware and spyware – and have had more than 2 million downloads.

Nor is it necessarily criminals that get into our supply chain. Way back in 2005, Sony BMG faced a huge scandal over the implementation of copy protection on their music CDs. The CDs would quietly install two pieces of digital rights management (DRM) software onto users’ PCs, which acted as rootkits and allowed for easy intrusion of other malware from more malicious agents.

As this is written in April 2019, a new scandal is brewing in Italy. Android spyware (there is also an iOS version) was distributed via Play Store. Called Exodus, it appears to be spyware developed for law enforcement to eavesdrop on possible suspects without prior court approval.

Where we fit on the global supply chain?

The purpose of this discussion is to demonstrate that we are all a node on the global supply chain. We have our own supply chain and we are a part of other supply chains. We are the target of criminals – and possibly even foreign governments – who seek to get into our personal computers via our own supply chain. And we are the potential target of major and minor hacking groups who can use us as the base point to attack our employers and their customers.

Nobody should consider they are too small or insignificant to be targeted as part of the supply chain. As the gig economy grows there are increasing numbers of freelance workers using home computers to work for multiple clients. Many deliver their work electronically, sometimes directly into their clients’ networks. These people, and often their customers, can be targeted through their computers – and are easily discovered via social media.

We need to protect ourselves upstream from our own supply chain. This is best done through constant awareness of potential threats and good antivirus software for when we fail. And we must protect the supply chain downstream through secure practices. Above all, we need to protect our personal computers so that we don’t become an active node in a major supply chain attack.

Kevin Townsend is a guest blogger on the Avast Blog where you can catch up on all the latest security news.  Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world with award-winning free antivirus and keeping their online activities private with VPN and other privacy products. Join in the conversation with Avast on Facebook and Twitter.

--> -->