Websites Requiring Security Software Downloads Opened Door to Supply Chain Attack

I, for one, am wary if a website asks me, unprompted, to download anything. It immediately makes me wonder if it is legitimate.

Richard Absalom, Senior Research Analyst at the ISF

A newly reported supply chain attack involved malicious hackers compromising financial and government websites so they would deliver malware to unsuspecting visitors. The tactic demonstrates the risks involved with requiring users to download software in order use your site properly.

In a blog post this week, researchers from ESET accuse the North Korean APT group known as Lazarus Group or Hidden Cobra of perpetrating an attack against certain South Korean websites that, ironically enough, require visitors to install specialized security software on their devices before they can use the site.

This installation process is enabled via a downloadable integration installation application called Wizvera VeraPort. According to ESET, some websites are mandated to have Wizvera VeraPort installed for users so that any necessary browser plug-ins, security software or identity verification software can be automatically installed with minimal user interaction.

While Wizvera VeraPort’s own infrastructure was apparently not compromised in the attack, certain websites that support Wizvera VeraPort were sabotaged so that attackers were able to replace the regular VeraPort software bundle with malware.

Which leads to the question: Does requiring users to download software as a precursor to being able to use one’s website or online services – even if it’s security software – introduce more risk than reward?

“In general, [it] seems like a bad idea, and it does introduce risk,” said Richard Absalom, senior research analyst at the Information Security Forum. While in this latest Korean case it was the websites that were compromised, Absalom notes that third-party software can itself become compromised or trojanized and become “a single point of failure” for multiple companies, and thus “has to be watertight from a security point of view.

This latest incident is a bit reminiscent of another operation in which attackers embedded a malicious backdoor into tax and accounting software that Chinese banks require its business clients to download in order to do business with them.

Also, “a similar kind of requirement for third-party software was also at the center of the most destructive cyberattack in history: NotPetya,” said Absalom, referring to the destructive Russian wiper that disguised itself a ransomware. “To do business in the Ukraine, organizations had to have accountancy software MEDoc installed, and it was a vulnerability in that software that was exploited by NotPetya, resulting in businesses around the world being shut down.”

Additionally, “In the U.K., several banks ask customers to use the third-party security software Rapport,” Absalom noted. “However, they only recommend that users download the software. They don’t mandate it.”

Websites that require these kinds downloads, even if they don’t have to, may have trouble earning the confidence of some potential clients. “There is… a question over usability and trust,” said Absalom. “I, for one, am wary if a website asks me, unprompted, to download anything. It immediately makes me wonder if it is legitimate. This might not be the case for every user, but may annoy a significant number.”

Besides, “most companies are able to offer all the functionality they need using their own software, e.g. secure identification and authorization, encryption,” without having to rely on third-party code, said Absalom. “For websites handling sensitive customer data [including] payment details, as a customer you would expect this to be built into the platform.”