The supply chain is a critical entity in today's manufacturing and solution providing industry. The vast majority of products – particularly those within the technology industry – go through several sequences and processes before being released for distribution. While this system can make the production and delivery of products more streamlined and efficient, as recent examples have shown, it can also open the doors to added security risks.
Trend Micro researchers recently discovered a rash of online advertising attacks, which is impacting the trust consumers have in the overall supply chain. Today, we'll take a look at these instances, and explain how a third-party risk management program can help close some of these gaps in security.
Attacks tarnish users' trust in the supply chain
According to a 2015 Trend Micro Security Roundup, a range of online users have been put at risk due to "complete and blind trust in third-party vendors or service providers," researchers noted. Separate attacks launched with different malware samples and dangerous online capabilities has hampered supply chain security.
"These attacks exploit online advertising systems and reveal security gaps in the 'supply chain,'" Trend Micro noted. "This exposes site visitors to threats, and could potentially damage the reputations of Web administrators."
Malvertising is a process that involves both legitimate and illegitimate processes. Trend Micro explained that when advertisers seek to promote goods or services, they leverage ad networks, or entities that host online ads, to disseminate promotions. These ads are delivered to several different sites, however, malicious ads occasionally get through. When this occurs, the ad networks are unaware that they are disseminating malware, as these malicious ads are displayed on sites just as innocuous ones would be. When users click on these malvertisements, their devices become infected.
Online ads inject BEDEP malware
One example of malvertising in action includes the BEDEP malware as its payload. In these cases, users become infected after visiting video-sharing sites, which host the malvertisement featuring BEDEP. What's unique about this infection is that the user doesn't necessarily need to click on the malicious advertisement, and can simply visit a site that has previously been compromised.
After visiting the site, an exploit kit is launched via the infected landing page, which executes a specific Flash exploit, SWF_EXPLOIT.MJST. This exploit then executes the encoded payloads, including the BEDEP malware sample.
"BEDEP initially came undetected and unnoticed due to its heavy encryption and use of Microsoft file properties for its disguise as well as the use of seemingly legitimate export functions," Trend Micro Research Engineer Alvin Bacani wrote. "Our recent findings also show that the malware's main purpose is to turn infected systems into botnets for other malicious intentions. Additionally, BEDEP is known for carrying out advertising fraud routines and downloading additional malware."
This automatically downloading malvertisement is a particularly dangerous sample that creates considerable risk for online users.
Superfish adware creates risk for Lenovo laptop users
In early 2015, Trend Micro observed the mass adware issue with Lenovo consumer-level laptops, where Superfish adware was pre-installed. This visual search technology includes adware behavioral capabilities, but the threat doesn't stop there – Superfish also enables hackers to launch man-in-the-middle attacks to glean the sensitive details of secure communications.
In addition, thanks to the presence of a root certificate, the visual search program can even leverage its functions while users are participating in SSL (HTTPS) activities. This includes processes like online banking, using a social media site, or logging into email or messaging accounts.
Lenovo noted that this adware wasn't installed by the company on its enterprise laptops. However, as more employees utilize their personal devices for corporate activities through BYOD programs, the risk for exposing sensitive company data grows.
Compounding the issue is Superfish's unique capabilities, which set it apart as far as adware.
"The Superfish adware, in effect, replaces all certificates the system receives with its own certificates created on the fly, signed with the installed root certificate," Trend Micro noted in a Security News post. "The problem with this is that attackers can use this knowledge to create their own certificates that the system would consider valid."
After the discovery of Superfish, Lenovo took a number of precautions to quell the security flaw, including ceasing pre-loading this technology on its devices, as well as disabling server-side transactions to quell the program's capabilities.
Rik Ferguson, Trend Micro's global vice president of security research, noted that this instance could change the way consumers purchase devices in the future.
"Longer term, I believe manufacturers should be obliged to offer the option of buying all PCs as a bare-metal option i.e. with no operating system pre-installed," Ferguson said. "Not only would this reduce cost to the user, it would also increase freedom of choice of Operating System and hand full control back to the owner of the device."
Supply chain protection: Risk Management Program
Both of these examples demonstrate the potential for risk that exists within nearly any supply chain. Thankfully, there are ways for both users and businesses to guard against these risks.
First and foremost, as the BEDEP malware example shows, users must exercise caution when browsing the Web. Any unfamiliar or suspicious-looking sites should be avoided. It's also best to avoid any skeptical sideline or featured advertisements. As Trend Micro pointed out, blind trust in vendors, or other organizations can create considerable risk.
It's also imperative that solution providers take the necessary steps to secure their supply chains. Ed Cabrera, Trend Micro's vice president of Cybersecurity Strategy, noted in a recent post that a third-party risk management program can be a considerable boon for upping supply chain protection.
"As businesses continue to pivot to highly networked and outsourced supply chain models, they are exponentially growing their attack surface, allowing cyber criminals to leverage these new avenues of compromise," Cabrera wrote. "To manage this growing risk, businesses need to develop or improve their third-party risk management program."
In order to enhance risk management, Cabrera recommends bringing together the relevant departments of the organization – including the IT, legal and procurement teams. From here, stakeholders can work in tandem to identify the third parties they work with as well as the risk associated with each. After evaluation these parties' security postures, stakeholders should make their security expectations known to these entities and continually monitor their performance to help guarantee that these benchmarks are being met. This puts businesses in a better position to recognize and identify risks, and work proactively to prevent them within the supply chain. In this way, organizations are able to vet the third-parties they work with and enhance protections for their customers.
Ensuring security across the supply chain can help protect key assets and critical partnerships.