A complex supply chain attack
In what we can call a complex cyber-espionage operation, hackers infected tens of thousands of computers of Taiwanese brand ASUS, through a supply chain attack. The security researchers at Kapersky Lab reported that they detected at least 57,000 infections among customers of their anti-virus application. About half of those clients are from Russia, Germany and France; while a mere 5% are from the United States.
The cyberattack took place between June and November 2018, but was discovered only in January this year. The attack was made through the ASUS Live Update utility. Pre-installed on most ASUS computers, it is used to update their components, such as BIOS, UEFI, as well as drivers and various applications. The attackers used legitimate certificates to digitally sign infected binaries, thus avoiding early detection. Despite the large number of infected computers, the hackers’ real target was a smaller number of them. Through a list of MAC addresses, certain computers already infected downloaded a second infectious code. There is no indication about second malware code, since the server that sent it is not longer active. According to manufacturer, they released a fix to solve the problem and prevent it in the future.
What is a supply chain attack?
Basically, a supply chain attack is a cyber attack that takes advantage of weaknesses in an organization’s supply chain. These weaknesses can be human, organizational, about policies and processes; as well as the resources involved in the product’s lifecycle, from the initial design to the use by the end customers. Through the manipulation of vendor’s hardware or software, attackers install malicious files to infect systems belonging to business customers of that organization. As previous examples of this type of attack we can mention the one suffered by the Target retail chain, the Stuxnet computer worm and the malware that affected ATMs in Russia and Ukraine.
How to prevent it?
As a mean of prevention, there are certain principles that organizations can establish to avoid being victims of these attacks:
- A limited number of suppliers, to facilitate their control.
- Establish and carry out rigorous controls on suppliers, such as:
- Analyze if it’s really necessary to grant them access to our systems.
- If so, then allow them to access only to the applications and systems necessary for the business development. Do not grant general accesses.
- Establish policies and processes for 3rd parties access.
- Educate both our own staff and others to avoid security breaches resulting from social engineering attacks.
- Set up a communication process between both organizations, in order to know as soon as possible if the other party sustained a computer attack as well as any staff changes.
- Close all access to systems and applications at the end of the business relationship.
- Establish security controls in the applications from the design stage onwards.
Said that, the important thing is not to close down and fall into a state of paranoia. Organizations should have to study and evaluate options. Consult the experts. Design measures, express them and make them known. And above all, put them into practice. Otherwise, any provision planned to avoid harm by a partner or supplier will not be worth the paper on which it is written. And it will cost a lot.