A fake CCleaner update was used to infect thousands of computers through a "supply chain attack."
Last week it became known that thousands of ASUS customers, and three other unidentified companies, had received malware. At least in the case of ASUS they were disguised as security updates. This type of attack is known as "Attacks on the distribution chain. Are we Linux users safe?
According to the security company Kasperly, a group of criminals managed to compromise the server used by the ASUS update system. This allowed them installation of a file with malware, but signed with authentic digital certificates. The information was also confirmed by Symantec.
What is a supply chain attack?
En In an attack on the distribution chain, the malware is inserted during the hardware assembly process. It can also occur during the installation of the operating system or subsequent updates. Let's not forget either drivers or programs installed later. As the case of ASUS indicates, verification of authenticity using digital certificates does not seem to be successful.
In 2017, CCleaner, a popular Windows program, suffered a distribution chain attack. A fake update infected more than two million computers.
Types of attacks on the distribution chain
That same year four other similar cases were known. Criminals infiltrated the server infrastructure to distribute fake updates. To carry out this type of attack, the equipment of an employee is compromised. In this way they can access the internal network and obtain the necessary access credentials. If you work in a software company, do not open funny presentations or visit porn sites at work.
But this is not the only way to do it. Attackers can intercept a file download, insert malicious code into it, and send it to the target computer. This is known as a supply chain ban. Companies that do not use encrypted protocols such as HTTPS facilitate these types of attacks through compromised Wi-Fi networks and routers.
In the case of companies that do not take security measures seriously, criminals can access download servers. However, it is enough that digital certificates and validation procedures are used to neutralize them.
Another source of danger are Programs that do not download updates as separate files. Applications load and run it directly in memory.
No program is written from scratch. Many use libraries, frameworks and development kits provided by third parties. In case any of them are compromised, the problem will spread to the applications that use it.
That was the way you committed to 50 apps from the Google app store.
Defenses against "attacks on the supply chain"
Did you ever buy a cheap tablet with Android? Many of them they come with Malicious applications preloaded in your firmware. Pre-installed applications often have system privileges and cannot be uninstalled. Mobile antivirus have the same privileges as normal applications, so they don't work either.
The advice is don't buy this type of hardware, although sometimes you don't have a choice. Another possible way is to install LineageOS or some other variant of Android, although doing so requires a certain level of knowledge.
The only and best defense that Windows users have against this type of attack is a hardware device. Light candles to the saint who deals with these kinds of things and ask for protection.
Happens that no end-user protection software is in a position to prevent such attacks. Either the modified firmware sabotages them, or the attack is done in RAM.
It's a matter of trust companies to take responsibility for security measures.
Linux and the "supply chain attack"
Years ago we believed that Linux was invulnerable to security problems. The last few years have shown that it is not. Although being fair, those security problems were detected and corrected before they could be exploited.
Software repositories
In Linux we can install two types of software: free and open source or proprietary. In the case of the first, the code is visible to anyone who wants to review it. Although this is a more theoretical protection than real since there are not enough people available with the time and knowledge to review all the code.
What if it constitutes better protection is the repository system. Most of the programs you need can be downloaded from the servers of each distribution. Y its content is carefully checked before allowing the download.
Security politics
Using a package manager alongside official repositories reduces the risk of installing malicious software.
Some distributions like Debian takes a long time to include a program in its stable branch. In the case of Ubuntu, in addition to the open source community, tHas hired employees verifying the integrity of each package aggregate. Very few people take care of posting updates. Distribution encrypts packages, and signatures are checked locally by the Software Center of each equipment before allowing installation.
An interesting approach is that of Pop! OS, the Linux-based operating system included in the System76 notebooks.
Firmware updates are delivered using a build server, which contains the new firmware, and a signing server, which verifies that the new firmware is coming from within the company. The two servers only connect via serial cable. The lack of a network between the two means that a server cannot be accessed if the input is made through the other server
System76 configures multiple build servers along with the main one. For a firmware update to be verified, it must be identical on all servers.
Today, cMore and more programs are distributed in self-contained formats called Flatpak and Snap. Since ethese programs do not interact with system components, a malicious update will not be able to cause harm.
Anyway, not even the most secure operating system is protected from user recklessness. Installing programs from unknown sources, or misconfiguration of permissions can cause exactly the same problems as in Windows.