The possible beginning of software updaters getting hacked

Over the years, new trends have come about with malicious hackers getting in to companies software updating tools and injecting malicious code into legitimate updates. The most recent one is believed to be perpetrated by Russian Intelligence hackers that compromised Solarwinds. For those unaware of what Solarwinds provides, they provide software solutions for information technology, systems and networking.

At the time of the hack in December 2020, Solarwinds had roughly 300,000 customers, from federal agencies and almost all of the Fortune 500s. It’s still is not clear how long the attack was persistent or the full impact this breach has caused. This attack was extremely successful due to the trust customers had with Solarwinds and was supposed to be a trusted update provided from this vendor. The impact of this attack could take years to fix and clean up as subject matter experts predict.

Companies like FireEye, a cybersecurity firm, have teamed up with Microsoft and a couple other companies to investigate and help repair damage done + strategies to prevent and mitigate future attacks form other copy-cat attackers or by the Nation-states like Russian Intelligence.

In some of the first attacks similar to Solarwinds, Asus, a computer hardware manufacturer. This attack was called Shadowhammer, signs of this attack first appeared in the second half of 2018. The hackers took a motherboard firmware update from 2015 and modified the code to allow remote access through a backdoor. The hackers found a legitimate Asus username to gain access, then stole digital certificate to make the update appear to come from Asus. It is believed that this affected over a million customers, and it was not made public until Kaspersky Labs discovered this attack. After the report was made public, Asus was forced to reach out to those affected and provide assistance for system hardening and removal of the malicious code.

This attack forced Asus to update its Live Update services, requiring employees to use multi-factor authorization to access critical system, such as this, and use end to end encryption on a majority of the company’s services, if not all of the services. Kaspersky Labs believes the creators of this attack were the same ones responsible for NotPetya outbreak of May 2017 and the compromise of a program called CCleaner in June of the same year. If this is the case, it shows how attackers are able to modify existing shell code to suit their needs and goals from one attack to another in relatively short time.

 

References:

https://en.wikipedia.org/wiki/SolarWinds

https://www.wired.com/story/solarwinds-hacker-methods-copycats/

https://www.zdnet.com/article/fireeye-releases-tool-for-auditing-networks-for-techniques-used-by-solarwinds-hackers/

https://www.wired.com/story/asus-software-update-hack/

 

Jeff Holt and Nawaf AbudawaoodComment