The software supply chain is increasingly under threat by attackers who seek to turn legitimate software programs into Trojan horses that can compromise millions of computers.
On Monday, security-software firm Avast announced that its popular system-cleaning program CCleaner—developed by Piriform, a company acquired by Avast in July—had been compromised during development and infected users’ system with malicious code for almost a month.
Anyone who installed the then-current 32-bit Windows version of CCleaner and CCleaner Cloud between Aug. 15 and Sept. 12—more than 2.27 million users—effectively installed a backdoor onto their systems as well.
Underscoring the effectiveness of inserting code during development, only one of the 64 antivirus scanners run by VirusTotal detected the malicious behavior, in large part because the CCleaner binary had a legitimate digital signature, according to an investigation by enterprise-technology giant Cisco, which detected the attack before Avast’s Piriform publicly announced the incident.
“The fact of the matter is, when it comes down to supply chain attacks, if the attacker is in your build system already, you’ve lost,” Craig Williams, senior technical leader with Cisco’s Talos research group, told eWEEK. “Once the attacker has all the certificates and all the keys and all the passwords, there is not a lot you can do.”
The attack underscores advice stressed by many software-security professionals: The software development process needs to be better secured to stop potentially devastating attacks. Too many companies have not adequately secured their software supply chain.
In June, for example, after online attackers compromised Ukrainian MEDoc tax software firm’s update server to distribute NotPetya ransomware, the program infected many large companies, disrupting operations at businesses such as Danish shipper A.P. Moller-Maersk, U.S. pharmaceutical maker Merck, and the world’s largest advertising firm WPP of Britain.
“Whenever you have a supply chain problem, each consumer has to be able push back at any point in the chain and say, I need a process to make sure that I’m getting what I think I’m getting,” Chris Wysopal, chief technology officer and co-founder of security firm Veracode, told eWEEK.
Customers of MEDoc, for example, could not even do that, because the company did not sign its updates.
Take digital signing seriously
Yet, Avast’s Piriform did, highlighting that a digital signature is not proof against software supply-chain attacks. Digital signatures are only as good as the process they are verifying, Wysopal said.
In the CCleaner incident, the attacker was able to insert themselves into the build process, most likely on the server used to compile, link, and sign the software, Ondrej Vlcek, chief technology officer of Avast, told eWEEK. While Avast has a process in place to check the final code for security issues and potential compromise, Piriform did not yet have that infrastructure in place, he said.