Recent news coverage has been full of stories of major software corporations inadvertently leaking private data. What has also come to light is that breaches of security developers and major software distributors have either directly led to the compromise of users and their data or provided an easy harvest of exploitable material. Issuing bug reports and updating your anti-virus software now comes with an inherent threat that before was never considered.
When software updates contain malware
The breach at Avast that led to version 5.33 of CCleaner to contain malware is a prime example. The attack targeted the Piriform servers responsible for distributing new versions of the software; by adding the malicious code before distribution, the attackers were able to attain the distributor’s digital signature. This allowed the malware-tainted version to run unimpeded on hosts as the signature stamped it as legitimate and trustworthy code.
Saving malware for a rainy day
Another security software company, Kaspersky, was also compromised over the last few months, although this was in a far more subtle way. Hackers gained access to the underlying network used by the software, which relays detected malware for analysis. This gave the intruders unlimited access to all variations of American-made cyber weapons and zero-day malware being used domestically to be cached and used or distributed later. This perverts the concept of catching, analyzing, and finding a solution for malware by instead making it easy to store and utilize later. An additional level of concern is that the software was actively looking for these cyber weapons, meaning there was already intelligence to their existence and use.
To publicize or not to publicize?
Microsoft – arguably the most used OS on the planet – has had a few security breach incidents over the past few years that have only recently come to light. A recent discovery by the Google Zero Day team went public before Microsoft released a patch to the identified issue. Microsoft were given 90 days to patch the issue before Google unilaterally released details on the vulnerability. Some may say that 90 days is ample time to solve such issues, but that depends on its nature and complexity. It was reported that Microsoft was planning to release a patch the following week (on patch Tuesday), but that Google released the information regardless of that fact that it put users at risk. This seeming recklessness in the vulnerability’s presence, the speed of developing a patch, and the unilateral publication of the vulnerability raise concerns.
Access to prime information
Although this example may have two sides to the argument (whether to inform the public of the threat and what to look for or to keep it secret and preventing mass use of the exploit), another issue came to light which does not. Microsoft’s bug tracking system, which stores information on critical and unfixed vulnerabilities in their OS that can be related to the OS system itself or related applications, was breached back in 2013. Microsoft claims that the vulnerabilities in the breach were fixed within months and that there was no evidence the information was used in any identified breaches around that period. However, the information leak itself means that the attackers had access to the prime centre of information that would allow easy development of new exploits to use on Windows users anywhere.
The patient hacker is normally the most successful
In the cases of direct relation to compromise, the associated corporations were quick to distribute updates and solutions in order to resolve the issue; however, breaches of these databases and networks may have further reaching implications that have yet to surface. Although these are only some of the most recent examples, software developers are just as susceptible to hackers as the rest of the digital community. The difference is that when they get breached it can affect much more than just one organization. All the software corporations involved take the utmost care in their security practices, but regardless of the precautions attackers can still get in. The ever present threat of hackers can filter through to far reaching targets by successful compromise of one trusted distributor, not necessarily for direct action but for harvest of data to be used later in more nefarious ways. The ultimate effects of breaches targeting malware and vulnerability- related data may not yet have come to fruition, as its use is perhaps still being analysed and tested for how it can achieve maximum effect. As always, the patient hacker is normally the most successful.
When good software behaves badly
Despite the complexity that these attacks can lead to in order to affect users, trained personnel that can spot identifiers of compromise regardless of infection vector will still be able to spot intrusion. Although software may be trusted, if it behaves abnormally it will still be targeted for analysis. If hosts start executing downloads/reflective loads from abnormal services or applications that will still be identifiable. Although distributors have a strong history of being reliable for defending users, the recent track history may bring in a slight hesitation about getting the latest updates, which is counter intuitive to good security practice. However, with a team of trained professionals monitoring your systems these issues are mitigated as detection of compromise is inevitable.