It has been widely reported that the popular system optimisation tool CCleaner has been the subject of a security breach where the download servers were hacked and rogue software was embedded into the distributable file.
Avast, who own the software, have disclosed that between 15th August and 12th September 2.27M users who downloaded version v5.33.6162 of the software had also inadvertently installed a trojan which was hidden within the download package.
Analysis by malware experts has determined that the attack is likely part of a sophisticated APT (Advanced Persistent Threat). The initial trojan was used to send basic reconnaissance data from infected computers back to a C2 server. Infected machines which met certain specific criteria were then infected by a 2nd stage payload.
The users targeted by this 2nd phase of the attack were all from a handful of large tech and telecomms companies in Japan, Taiwan, UK, Germany and the US. The fact that the secondary malware was found to contain some very sophisticated code and was aimed at specific organisations strongly suggest that this was an advanced, possibly nation-state level industrial espionage attack.
This story highlights what is being seen as becoming an increasingly important vector for cyber-attacks – that of the supply-chain. The perpetrators of this incident directed their initial assault on a relatively weak link, and because of the trust organisations had in their 3rd party providers, the infected software could pass freely into their enterprise.
Hopefully, this and other similar incidents will help to highlight the potential weak-points in supply chain cyber security and 3rd party risk. The gold-standard for most organisations should be developing end-to-end assurance in the supply chain, but there are many hurdles to achieving this. As a minimum, requests-for-quotations and system requirement specifications should include obligations for some level of security assurances.
Certifications can help with this security assurance – a certification will provide independent proof that vendors and systems suppliers have policies and procedures in place to secure their own systems. This gives confidence to end-users that due-diligence has been carried out to deliver a secure product or service. Conformance with Information Security standards such as ISO27000 series and PAS 555 frameworks can be ways to demonstrate organisational competence for any enterprise. Specifically, for Industrial Controls Systems () vendors, certifications for organisational development lifecycles and off-the-shelf hardware devices can be gained to provide that end-user assurance, which are typically based on the IEC62443 standard.
If you would like to see how Regency’s security consultancy can help you to understand and implement these supply-chain assurance principles, then call our office on 01242 225699 or email us at firstname.lastname@example.org
The CCleaner security incident update from Avast can be found here (link)