On the list of computer security advice standbys, "update your software" ranks just below with "don't use the password 'password.'" But as the cybersecurity research community gets to the bottom of the malware outbreak that exploded out of Ukraine to paralyze thousands of networks around the world last week—shutting down banks, companies, transportation and electric utilities—it's become clear that software updates themselves were the carrier of that pathogen. Cybersecurity analysts warn that it's not the only recent incident when hackers have hijacked software's own immune system to deliver their infections. And it won't be the last.
Over the past week, security researchers at ESET and Cisco's Talos division have both published detailed analyses of how hackers penetrated the network of the small Ukrainian software firm MeDoc, which sells a piece of accounting software that's used by roughly 80-percent of Ukrainian businesses. By injecting a tweaked version of a file into updates of the software, they were able to start spreading backdoored versions of MeDoc software as early as April of this year that were then used in late June to inject the ransomware known Petya (or NotPetya or Nyetya) that spread through victims' networks from that initial MeDoc entrypoint. This disrupted networks from pharma giant Merck to shipping firm Maersk to Ukrainian electric utilities like Kyivenergo and Ukrenergo.
But just as disturbing as that digital plague is the continuing threat it represents: that innocent software updates could be used to silently spread malware. "Now I’m wondering if there are similar software companies that have been compromised that could be the source of similar attacks," says Matt Suiche, the founder of Dubai-based Comae Technologies, who has been analyzing the Petya strain since it first appeared. "The answer is, very likely."
In fact, Kaspersky Labs tells WIRED that it's seen at least two other examples in the last year of malware delivered via software updates to carry out sophisticated infections. In one case, says Kaspersky research director Costin Raiu, perpetrators used updates for a popular piece of software to breach a collection of financial institutions. In another, hackers corrupted the update mechanism for a form of ATM software sold by an American company to hack cash machines. Kaspersky pins both of those attacks on a criminal organization known as Cobalt Goblin—an offshoot of the so-called Carbanak hacker group—but wouldn't share any more information as its investigations are still continuing. "My opinion is we’ll see more attacks of this kind," Raiu says. "It’s often much easier to infect the supply chain."
In the Petya case, security firm ESET also notes that the hackers didn't just stumble on MeDoc's software as a means to infect a large number of Ukrainian computers. They first breached another unnamed software firm and used its VPN connections to other companies to plant ransomware on a handful of targets. Only later did the hackers move on to MeDoc as a malware delivery tool. "They were looking for a good company to do this," says the firm's researcher Anton Cherepanov.
One reason hackers are turning to software updates as an inroad into vulnerable computers may be the growing use of "whitelisting" as a security measure, says Matthew Green, a security-focused computer science professor at John Hopkins University. Whitelisting strictly limits what can be installed on a computer to only approved programs, forcing resourceful hackers to hijack those whitelisted programs rather than install their own. "As weak points get closed up on the company side, they’ll go after suppliers," says Green. "We don't have many defenses against this. When you download an application, you trust it."
A basic security precaution that every modern developer should use to prevent their software updates from being corrupted is "codesigning," Green points out. That safeguard requires any new code added to an application to be signed with an unforgeable cryptographic key. MeDoc didn't implement codesigning, which would have allowed any hacker that can intercept software updates to act as a "man-in-the-middle" and alter them to include a backdoor.
But even if the company had carefully signed its code, Green points out, it likely wouldn't have protected the victims in the MeDoc case. According to both the analyses of both Cisco Talos and ESET researchers, the hackers were deep enough in MeDoc's network that they likely could have stolen the cryptographic key and signed the malicious update themselves, or even added their backdoor directly into the source code before it would be compiled into an executable program, signed and distributed. "You’d be compiling straight from fresh ingredient into this malicious thing," Green says. "The poison is already in there."
None of this, it's important to point out, should dissuade people from updating and patching their software or using software that updates automatically, as companies like Google and Microsoft increasingly do with their products. One of the biggest threats of hijacking updates to deliver malware may in fact be that overreaction: As former ACLU technologist Chris Soghoian has analogized, exploiting that patching mechanism for delivering malware is akin to the CIA's reported use of a fake vaccination program to locate Osama Bin Laden. Soghoian was referring specifically to an early instance of a malicious software update, when malware known as Flame---widely believed to have been developed by the NSA---was delivered by compromising Microsoft's codesigning mechanism. "If we give consumers any reason to not trust the security update process, they will get infected," he said in a speech at the Personal Democracy Forum five years ago.
Codesigning no doubt makes compromising software updates far more difficult, requiring much deeper access to a target company for hackers to corrupt its code. That means codesigned software that's downloaded or updated from Google's Play Store or the Apple App Store is, for instance, far safer and thus significantly harder to compromise than a piece of software like MeDoc, distributed by a family-run Ukrainian company without codesigning. But even the App Store's security isn't perfect: Hackers two years ago distributed infected developer software that inserted malicious code into hundreds of iPhone apps in the App Store that were likely installed on millions of devices despite Apple's strict codesigning implementation.
All of that means that on highly sensitive networks like the sort of critical infrastructure disabled by Petya, even "trusted" applications shouldn't be fully trusted. Systems administrators need to segment and compartmentalize their networks, restrict the privileges of even whitelisted software and keep careful backups in the case of any ransomware outbreak.
Otherwise, says Kaspersky's Raiu, it's only a matter of time until another software update debacle strikes. "If you identify software in critical infrastructure and you can compromise its updates," Raiu says, "the things you can do are limitless."
