Software Distribution Compromise Tactics

The increasing number of software supply chain compromises represents a significant weakness that should be top of mind for security professionals. Regardless of your firm’s core business, chances are they rely on and are connected to a range of software provider’s electronic distribution channels for acquiring initial licenses or software updates. Any such electronic access, even through authorized and vetted means, poses a risk to the organization. Put simply: your software provider’s vulnerabilities could easily become your next breach.  

Recent high-profile compromises affecting potentially millions of CCleaner (a popular computer clean-up utility) and NetSarang (develops enterprise server management tools for large corporations) users highlight the threat from determined and adaptive adversaries to abuse legitimate software and software updates to distribute malware. In these incidents, suspected Chinese cyber espionage actors compromised software developers and most likely moved laterally within victimized networks until they could embed their own malicious code into legitimate software packages, which were being prepared for release.

In the case of NetSarang, the malware tool SHADOWPAD was inserted, whereas a tool dubbed DIRTCLEANER was added to the CCleaner update. Because both instances took place before the software updates were digitally signed, the inserted malware ultimately ended up being signed as part of the legitimate software updates as well. As a result, the embedded malware circumvents each victim’s trust twice: 1) abusing the inherent confidence one typically has when downloading from a known software vendor, and 2) abusing the same digital certificates that software vendors use to validate the legitimacy of their files.

Exploitation of the supply-chain is nothing new for cyber espionage actors. EternalPetya, the destructive ransomware that emerged in March 2017, initially spread via an infected update of MeDoc, a popular Ukrainian accounting software package. Technical evidence linked the poisoned update to Sandworm Team, a Russian operation.

Further, in January 2015, an online game distribution platform was used to distribute SOGU (PlugX), a malware typically used by Chinese espionage actors. Probably not coincidentally, this group of actors is believed to be associated with the same operators who distributed SHADOWPAD via the compromised NetSarang update. Although the tactic is not currently as common as spear phishing or strategic web compromises, the CCleaner and NetSarang incidents demonstrate the effectiveness of victimizing users via the supply chain.

Significant attention should be given to not only how your software providers are managing security as part of the tools and applications they deliver, but the risk exposure in general to your organization from these third-party relationships. Does the electronic level of access and inherent risk posed by such access counterbalance the value derived from the relationship? 

Not all software vendor relationships will rise to a significant procurement that requires detailed diligence.  Regardless, protocols and policies should be in place before allowing employees to access and set up transmissions directly with a licensor. A corporate policy and appropriate controls should be implemented to prevent such transmissions without first subjecting the licensor to some form of scrutiny and a review of the governing terms of use/service. 

It is also critical to make sure that the legal terms and conditions between the end user and licensor have been reviewed, as these terms will allocate responsibility and liability for breaches. For larger software installations, these agreements will likely be negotiated and customized to the specific commercial transaction. For smaller software applications and individual users, the relationship will be governed by non-negotiated terms of service or use often referred to as “click-through agreements or licenses”.  Regardless of governing legal terms, it is important to pay close attention to the allocation of responsibility and limitations of liability for breaches. 

Efforts to integrate and manage cybersecurity in software supplier arrangements should inevitably start early. Detailed security assessments and internal cybersecurity stakeholders should be included as part of initial due diligence efforts of software suppliers. It is important to understand the security processes and tools that proposed software licensors will utilize, the licensor’s vulnerabilities and plans to remediate gaps during the term of the proposed agreement, and the plan for the licensor to integrate with existing corporate cybersecurity programs. Also, understanding how the licensor has previously responded to past incidents and improved its operations as a result is crucial.

Meighan E. O’Reardon is Counsel at Pillsbury Winthrop Shaw Pittman LLP and a member of the firm’s Global Sourcing and Technology Transactions Practice. She can be reached at meighan.oreardon@pillsburylaw.com.