Since the invention of computer networking, hackers have always been attempting to illegitimately get into systems and gain control of various assets across the Web. Usually they’d do this by attempting to coax users to download infected software that gives them access to the victims’ machines.
But what if they don’t need to do any coaxing? What if they distribute their viruses through otherwise legitimate channels by hijacking a software update? This is what happened when hackers took over the distribution of CCleaner’s 5.33 update sometime in September 2017 and Cisco discovered the attack later in the month.
A Word on Supply Chain Attacks
The kind of incident that CCleaner’s users just suffered is known as a supply chain attack. Hackers exploited the security of its developer (Avast, no less), injected their own malware into CCleaner, and smoothly released the 5.33 update to 700 thousand computers. The malware inside not only put all of these computers into a botnet but also targeted twenty different major tech companies (including Cisco), attempting to get information about their systems and operations.
This is a very sophisticated form of espionage we often see coming from government institutions and other corrupt entities able to hire a team of skilled coders.
Supply chain attacks are particularly dangerous because the corrupted software comes through legitimate channels to your computer. Hackers will gain unauthorized access to these servers using the same methods they would to log into any other server, usually by either exploiting a vulnerability in software that they run or using sophisticated forms of phishing.
What Can You Do to Stop These Attacks?
S, we’ve established that in a supply chain attack the malware comes from legitimate channels. This means that even if you do everything you can to prevent being infected (such as only downloading software from trusted sources), you can still fall victim to this kind of attack without even knowing it. Perhaps the most troubling aspect of these kinds of attacks is the fact that what could be done to prevent this is entirely in the control of the entity distributing the software. You literally have no control over prevention.
You can, however, mitigate the damage that such an attack does by continuously keeping up to date on your software. I know it sounds kind of counter-productive considering you’re still relying on the distributor that gave you the software in the first place. But because they were the ones who were compromised by the hackers, they will also release a “followup” update to their software.
Be wary, however, of software that hasn’t been updated in a while (several months to a year). It is quite possible that the developer has abandoned the project. But if that software automatically updates, hackers could take advantage of this and give you an infected copy.
Since the developer has abandoned the project, there is a chance that they will not release a fix. Although you’d expect for abandoned software projects to shut down their update servers, this doesn’t always happen. Sometimes the developer also places other projects on the same server which might be active.
Here’s the kicker, though: Even if the server is no longer up, the URL will expire at some point. Then all a person needs to do to distribute malware through legitimate channels is to purchase the DNS and just push their “new” version through. The only thing you can do to prevent this is to turn off any automatic updating on software that’s been abandoned.
Things like these happen rarely, but if something like CCleaner can be hijacked in such a manner, it’s unlikely that supply chain attacks are in a downward trend. On the contrary, we may expect to see an event like this one inspire hackers to leave their own mark.
Do you have any other pieces of advice that could be useful in this scenario? Let’s talk about this in a comment!