Supply Chain Vulnerabilities

This article began with ShadowHammer as the primary topic, a scathing rebuke of ASUS for their total lack of effort in securing an unnecessary utility that they install on every system they ship. However I then saw the news about OfficeDepot’s System Health Checker tool being a complete sham designed to pressure people into purchasing software and services they do not need which triggered memories of other similar betrayals.

I can easily recall a dozen times “trusted third party vendors” were responsible for a breach:

  • CCLeaner, a utility designed to improve performance, delivered malware.
  • The malware ShadowPad was baked into popular server management tools.
  • Saks Fifth Avenue and Lord & Taylor: 3rd party provided point of sale system.
  • BestBuy, Sears, Kmart, Delta: customer service vendor.
  • Corporation Service Company: unknown vendor.
  • UnderArmour: MyFitnessPal (Acquired vulnerable environment)
  • UMG: Cloud Storage provider.
  • Target: HVAC contractor.
  • Applebee’s: 3rd party provided point of sale system
  • Chili’s: 3rd party provided point of sale system
  • MyHeritage: Third party storage
  • 300,000 other companies: 3rd party ad network and ecommerce solutions (Magecart victims)
  • MSPs and their clients: Connectwise and Kaseya management platforms.

So ASUS being compromised and helping the attacker distribute the ShadowHammer malware through, again, completely unnecessary bloatware is just another example in a long list of 3rd party failures. Why is it still happening? How are companies still allowed to sell products without performing security focused testing? Why aren’t we pushing back and demanding to see QA/QE, Vulnerability, or Pen-testing results for software and hardware prior to purchasing, and if the vendor doesn’t have those reports, and the re-tested results showing mitigation was successful, then keep looking for a vendor that does?

The short answer is, quite frankly, the vendors don’t care until an incident occurs and we, as an industry/society, do not punish those that are caught red-handed not caring. I know the vendors don’t care because the remediation cycles are relatively short. ASUS had a patch released for the compromised Live Update tool, created a scanner for the malware, and “implemented an enhanced end-to-end encryption mechanism” in roughly 48 hours. Reverse extrapolation indicates had they spent a mere week on testing and remediation of their apps prior to release, this whole situation could have been avoided. For a company whose consolidated revenue in 2017 was $434 billion, a net profit of $15.5 billion, and who continuously touted it’s accolades as a leader in the tech space, they certainly had the budget, knowledge, and situational awareness to determine that 5 days of employee labor to avoid an international embarrassment resulting in lost consumer confidence, public reputation, and associated legal fees/fines has a tremendous ROI. Yet, here we are, and there will be no true punishment as they’ve already reported making all these changes for “additional security to prevent similar events occurring in the future”. They didn’t even apologize to those affected.

That’s why it’s so frustrating when ‘Leaders’ in the tech industry give us reasons to worry about their hardware or software solutions. They’re supposed to be the driving forces behind ‘innovation’ and ‘solutions for all your needs’, but they’ve shown time and again they can’t be trusted with security despite the buzzwords plastered all over their marketing materials and sales pitches. Buzzwords like “enhanced end-to-end encryption mechanism”. Sounds like they made sure the next round of vendor deployed malware will be securely transferred from their servers straight to your endpoint.

My work mostly revolves around helping businesses achieve basic security: Turn on logging, apply patches, implement 2FA, this server shouldn’t have a public IP, etc. Can I honestly expect them to have enough controls in place to prevent a manufacturer’s private backdoor from being compromised at the source? Of course not. Companies shouldn’t have to add “Vendor skips basic vulnerability testing prior to selling product”, “Vendor has complete and utter disregard for security”, or “MSP spreads infection” to their threat modeling. Unfortunately we have to. After the “Left-Pad” incident of 2016, it has been increasingly obvious that our integrated ecosystem has unknowable dependencies on someone else’s work.

Despite the fact that only ASUS could have truly prevented this, there are local controls that would have mitigated this point of vulnerability. A strong well thought out configuration management policy and change management procedures would have been the primary defense. As a backup to that, an IDS in key network junctions to monitor all your traffic would have spotted the malware in route to the endpoint.

If you have neither of those in place, reach out. We’re here to help.

ShadowHammer Zeek Detection Script

Leave a Reply