Supply Chain Attack Pushes Out Malware to More than 250 Media Websites
According to a series of tweets from the Proofpoint Threat Research Team posted late Wednesday, the attackers have tampered with the codebase of an application that the unnamed company uses to serve video and advertising to national and regional newspaper websites. The supply chain attack is being used to spread TA569’s custom malware, which is typically employed to establish an initial access network for follow-on attacks and ransomware delivery.
Detection might be tricky, the researchers warned: “TA569 historically removed and reinstated these malicious JS injects on a rotating basis,” according to one of the tweets. “Therefore the presence of the payload and malicious content can vary from hour to hour and shouldn’t be considered a false positive.”
The tweets cited Proofpoint threat detection analyst Dusty Miller, senior security researcher Kyle Eaton, and senior threat researcher Andrew Northern for the discovery and investigation of the attack.
FakeUpdates is an initial access malware and attack framework in use since at least 2020 (but potentially earlier), that in the past has used drive-by downloads masquerading as software updates to propagate. It previously has been linked to activity by the suspected Russian cybercrime group Evil Corp, which has been formally sanctioned by the US government.
Symantec researchers previously observed Evil Corp using the malware as part of an attack sequence to download WastedLocker, then a new ransomware strain, on target networks back in July 2020.
A surge of drive-by download attacks that used the framework followed toward the end of that year, with the attackers hosting malicious downloads by leveraging iFrames to serve up compromised websites via a legitimate site.
More recently, researchers tied a threat campaign distributing FakeUpdates through existing infections of the Raspberry Robin USB-based worm, a move that signified a link between the Russian cybercriminal group and the worm, which acts as a loader for other malware.
The campaign discovered by Proofpoint is yet another example of attackers using the software supply chain to infect code that’s shared across multiple platforms, to broaden the impact of malicious attack without having to work any harder.
Indeed, there already have been numerous examples of the ripple effect these attacks can have, with the now infamous SolarWinds and Log4J scenarios being among the most prominent.
The former started in late December 2020 with a breach in the SolarWinds Orion software and spread deep into the next year, with multiple attacks across various organizations. The latter saga unfolded in early December 2021, with the discovery of a flaw dubbed Log4Shell in a widely used Java logging tool. That spurred multiple exploits and made millions of applications vulnerable to attack, many of which remain unpatched today.
Supply chain attacks have become so prevalent that security administrators are looking for guidance about how to prevent and mitigate them, which both the public and private sector have been happy to offer.
Following an executive order issued by President Biden last year directing government agencies to improve the security and integrity of the software supply chain, the National Institute for Standards and Technology (NIST) earlier this year updated its cybersecurity guidance for addressing software supply chain risk. The publication includes tailored sets of suggested security controls for various stakeholders, such as cybersecurity specialists, risk managers, systems engineers, and procurement officials.
Security professionals also have offered organizations advice on how to better secure the supply chain, recommending that they take a zero-trust approach to security, monitor third-party partners more than any other entity in an environment, and choose one supplier for software needs that offers frequent code updates.
Copyright © 2022 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.