A newly reported supply chain attack involved malicious hackers compromising financial and government websites so they would deliver malware to unsuspecting visitors. The tactic demonstrates the risks involved with requiring users to download software in order use your site properly.
In a blog post this week, researchers from ESET accuse the North Korean APT group known as Lazarus Group or Hidden Cobra of perpetrating an attack against certain South Korean websites that, ironically enough, require visitors to install specialized security software on their devices before they can use the site.
This installation process is enabled via a downloadable integration installation application called Wizvera VeraPort. According to ESET, some websites are mandated to have Wizvera VeraPort installed for users so that any necessary browser plug-ins, security software or identity verification software can be automatically installed with minimal user interaction.
While Wizvera VeraPort’s own infrastructure was apparently not compromised in the attack, certain websites that support Wizvera VeraPort were sabotaged so that attackers were able to replace the regular VeraPort software bundle with malware.
Which leads to the question: Does requiring users to download software as a precursor to being able to use one’s website or online services – even if it’s security software – introduce more risk than reward?
“In general, [it] seems like a bad idea, and it does introduce risk,” said Richard Absalom, senior research analyst at the Information Security Forum. While in this latest Korean case it was the websites that were compromised, Absalom notes that third-party software can itself become compromised or trojanized and become “a single point of failure” for multiple companies, and thus “has to be watertight from a security point of view.
This latest incident is a bit reminiscent of another operation in which attackers embedded a malicious backdoor into tax and accounting software that Chinese banks require its business clients to download in order to do business with them.
Also, “a similar kind of requirement for third-party software was also at the center of the most destructive cyberattack in history: NotPetya,” said Absalom, referring to the destructive Russian wiper that disguised itself a ransomware. “To do business in the Ukraine, organizations had to have accountancy software MEDoc installed, and it was a vulnerability in that software that was exploited by NotPetya, resulting in businesses around the world being shut down.”
This attack was much smaller in scale however, as the attack was limited to whatever websites the attackers were able to compromise in the first place. For the campaign to work, the website had to support Wizvera VeraPort and have a server-side VeraPort configuration that enabled the perpetrators to replace the normal bundled software with malware. In cases where the configuration was more secure, the attackers used a valid code-signing certificate to distribute the payload.
ESET senior malware researcher Peter Kalnai agreed that websites do increase when they require software downloads, but not as much as you might think if the third-party code provider is a trusted entity. “Of course, the risk might be higher if the third-party is not pushed into responsible behavior."
Still, it is advisable for website operators to generate avoid forcing consumers to introduce more risk into their own environments by having them download unnecessary code. Fortunately, the websites for U.S. banks, government institutions and other regulated organizations generally do not mandate that their clients download any specific brand of software in order to interact with them.
But outside the U.S., this is more of an issue.
“The South Korean government decided around 2016 to finally escape the outdated technology of ActiveX [as a software plug], so it started to support alternative software and mobile platforms, with direct aid to fintech startups. However, the Japanese official tax system for individuals and corporations still requires ActiveX and Internet Explorer in 2020,” said Kalnai. “Among the new trends, though, are [software downloads] that increase complexity of inter-app communication between banks, clients and third-parties, like Payment Services Directives in the European Union.
Additionally, “In the U.K., several banks ask customers to use the third-party security software Rapport,” Absalom noted. “However, they only recommend that users download the software. They don’t mandate it.”
Websites that require these kinds downloads, even if they don’t have to, may have trouble earning the confidence of some potential clients. “There is… a question over usability and trust,” said Absalom. “I, for one, am wary if a website asks me, unprompted, to download anything. It immediately makes me wonder if it is legitimate. This might not be the case for every user, but may annoy a significant number.”
Besides, “most companies are able to offer all the functionality they need using their own software, e.g. secure identification and authorization, encryption,” without having to rely on third-party code, said Absalom. “For websites handling sensitive customer data [including] payment details, as a customer you would expect this to be built into the platform.”
On Nov. 18, the Korean CERT issued an advisory instructing VeraPort users to ensure that they are using version 3.8.5.0 or above to avoid exploitation.