Researchers believe that in last month’s malware attack, dubbed Operation ShadowHammer, the network of Taiwanese technology giant ASUS was not the only company targeted by supply chain attacks. According to Kaspersky Lab, during the ShadowHammer hacking operation, there were at least six other organizations that the attackers infiltrated.
“In our search for similar malware, we came across other digitally signed binaries from three other vendors in Asia,” Kaspersky researchers wrote in a blog post. Electronics Extreme Co. Ltd., a game developer from Thailand, was among the vendors listed as having released digitally signed binaries of a video game called Infestation: Survivor Stories, which was reportedly taken offline in 2016.
“This weaponization of code signing is direct evidence that machine identities are a beachhead for cyber-criminals. The only way to protect against these kinds of attacks is for every software development organization to make sure they are properly protected,” said Michael Thelander, director of product marketing, at Venafi.
“No one should be surprised at how extensive this attack is. Due to their wide reach, bad actors target code-signing certificates in broad, deliberate campaigns and leverage them in large, multi-stage attacks.”
Supply chain attacks have become increasingly concerning, according to the 2019 Internet Security Threat Report, which found that supply chain attacks rose by 78% between 2017 and 2018, prompting US intelligence agencies to partner in designating April as Supply Chain Integrity Month.
“Software subversion attacks – such as the ASUS Live Update intrusions – are particularly difficult to thwart because they are incredibly sophisticated and highly targeted,” said Chris Duvall, senior director at The Chertoff Group.
“Unfortunately, due to the apparent success rate, we can expect to see a continued surge in the use of third-party applications as the back channel into networks. While not a panacea, we advise clients to help prevent these attacks by accessing file integrity whenever possible and maintaining good cyber hygiene through configuration hardening, vulnerability management, segmentation.”