The NotPetya attack in late June 2017 spotlighted a new attack vector that has been successful in attacking specific domains. In the summer NotPetya Ransomware attack, the attackers successfully penetrated a major software vendor and inserted the malicious code directly into a legitimate software update. The software vendor was the major supplier of financial software to many businesses in one country (Ukraine). This could be pure coincidence, or it could be an indicator that rogue actors are starting to exploit weaknesses in the supply chain.
In mid-September 2017, reports appeared that the makers of Avast antivirus software had been compromised as well, and their virus cleaner CCleaner v5.33 and CCleaner Cloud version 1.07.3191 were altered to distribute malware. Over 2.27 million endpoints were affected in the latest infection. The infection provided attackers remote access to the infected systems which subsequently resulted in a compromised system. A later analysis suggested that a very limited set of companies were the primary targets, but all infected systems were vulnerable.
In early October 2017, reports are surfacing that a legitimate VMware update is being pushed with malware inside the libraries. While details are not available at publication time to link this to a supply chain attack, it does raise suspicions.
The practice of distributing malware using rogue or fake software updates is not new as users of Adobe Flash used to be a frequent target of spoofed updates. The tactic of distributing malware directly through legitimate vendor patches from trusted supply chain vendors is a new and especially disturbing trend because of the difficulties detecting the attack.
This revelation should drive changes in healthcare organizations’ vendor management and patch management processes. For one, the software update/patching process for all devices, including biomedical devices, printers, laboratory, pharma, security cameras, SCADA systems, as well as the traditional IT managed devices such as servers and laptops, should be reviewed to see which devices receive automated patch updates directly from the manufacturer. CIOs and CISOs should perform a risk assessment to determine which systems and software need to be updated immediately, and which systems can be updated from a local server after performing testing and analysis.
At one end of the spectrum, antivirus signature and/or virus definition updates need to be installed almost immediately to counter zero-day threats and may require a direct connection to the vendor. Operating system patches should be installed in a test environment and scanned prior to mass deployment. This analysis should be flexible and consider the Low to Critical rating generally accompanying each update.
Ultimately, there will be workflow and resource impacts. This extra step for some organizations will require more time and delay deployment. Other organizations may need to invest in local scanning tools to monitor the test environment for anomalies following an update.
Strategic sourcing, or procurement, should also review existing contracts with software and hardware vendors, specifically looking for limitations of liability that may impact the amount of damages that could result following an attack. Procurement policies and workflow should be reviewed to ensure that all new contracts include language to reduce the legal, regulatory, or financial impact of a vendor-caused attack.
Software vendors need to review their secure software development life cycle process, specifically enforcing separation of duties, independent testing of source code and executables following revisions, and separate development and production distribution environments. Finally, explore the use of one-way hashes to detect unauthorized changes to executables.
If you have additional questions or need support in reviewing or updating your policies or processes, please contact us.