Cybercriminals are infiltrating software vendors, launching supply chain attacks

Cybercriminals are moving into the terrain of supply chain attacks, masquerading as signed apps, and using ransomware as a distraction to steal money from the network.

Each of these are “interesting new areas” that cybercriminals may exploit in the future, according to Matt Hartley, vice president of global services and intelligent engineering with the cybersecurity firm FireEye. He spoke at the International Cyber Risk Management Conference (ICRMC) in Toronto Wednesday.

Hartley said cybercriminals are now perpetrating supply chain attacks. In particular, they are launching software supply chain attacks, which infiltrate a vendor’s process for building new software.

A cybercriminal may embed malware into software as a vendor is building a new version of an application, for example. “Makes it much harder to detect because it’s just part of the software,” said Hartley.

He also noted there has been a lot of focus on the security of signed apps. Some devices may warn users that the device is not signed by the vendor.

“In this case, because an actor infects the software as it’s being built, the process is essentially vendor source code, malware fused together, and then signed,” he explained. “So now, when you go to run that software or that app on your PC, it’s signed, it’s going to look good. We have to rely on the actions the software is taking, and hope that it’s not white-listed by our security tools and hope that we can see that action.”

Another potential emerging area in cybersecurity is using ransomware as a distraction, Hartley said. Bad actors will enter a network, distribute ransomware, and then demand a ransom. “Security teams are going to freak out, they’re going to start shutting computers down, or try to isolate computers as much as they can and deal with this infection,” he said. “Meanwhile, the attacker is actually going into your network to steal your company’s funds.”

For many years, distributed denial of service attacks (which bombard a website with traffic to try to make it inaccessible) have been used as a diversion, while bad actors infect a network and move money out, Hartley noted.

“We’ve seen a lot of attacks like that over the years, successfully executed,” Hartley said. “So we suspect ransomware is going to be used that way as well.”