The FBI has sent a security alert to the US private sector highlighting a hacking campaign targeting supply chain software providers. Hackers are attempting to infect companies with the Kwampirs malware which has also been deployed in attacks against companies in the healthcare, energy, and financial sectors, and has now evolved to target companies in the ICS sector, and especially the energy sector.
“The @FBI says hackers are attempting to infect companies with the Kwampirs malware, a remote access trojan (RAT).” @ZDNet #SoftwareSupplyChain #CyberSecurity #SupplyChainCyberSecurity #Malware #RemoteAccessTrojan https://t.co/WDF659QFB9
— Christina Ayiotis, CRM, CIPP/E (@christinayiotis) February 11, 2020
Remote Access Trojans (RATs) are an insidious set of attacker tools that invade our systems, data and privacy. With so much legitimate remote access happening across our networks and hosts, there’s plenty of opportunities for RATs to operate undiscovered as they hide in plain sight. The FBI’s report that threat actors are using digital supply chain infections as a distribution means for Kwampirs opens the door for the possibility of widespread deployments. Consider the scope and impact of NotPetya which was embedded into an update service of the popular Ukrainian accounting application M.E. Doc, or the malware that was stealthily placed inside the updates for Avast’s CCleaner.
Whilst it’s good to see government agencies warn about, and provide identification signature profiles for RATs such as Kwampirs, the pathways and services that RATs exploit remain open and hard to monitor for many organizations. Signatures exist for the most common RATs, but skilled attackers can easily customize or build their own RATs using common remote desktop tools such as RDP to exert remote access. This is held up by some recent analysis we made on live enterprise networks that found that 90% of surveyed organizations exhibit a form of malicious RDP behaviors. This type of behavioral detection approach (instead of trying to perfectly fingerprint each RATs’ signature) can be achieved with machine learning models designed to identify the unique behaviors of RATs. By analyzing large numbers of RATs, a supervised machine learning model can learn how traffic from these tools differs from normal legitimate remote access traffic and so spot “RATish” behavior without prior knowledge of the attack, or individual RAT’s code.
It’s concerning, but not altogether surprising, that according to the FBI, the Kwampirs malware is being used against supply chain software companies. Kwampirs is a backdoor Trojan that provides attackers with remote access to a compromised computer. Once inside a victim’s network, the malware propagates aggressively, such as by copying itself over network shares. In the past, Kwampirs was used to target companies in the healthcare sector. We have seen that malicious actors will use anything in their arsenal to gain access to organizations’ data, and often, the best way to achieve this is by targeting the supply chain partners to which organizations are connected. For this reason, the FBI warning about the Kwampirs malware is just one more wake-up call for organizations to put processes in place to thoroughly assess and continuously monitor the security of their supply chain partners.
Data breaches frequently happen because there’s a security failure at a supply chain partner. It’s not unusual for the breach to occur some way down the chain – maybe three or four levels removed from your own organisation. In truth the more partner connections you have the greater your digital risk profile, exposing you to threats beyond the network perimeter that you are powerless to control.
In today’s complex digital ecosystems, confidential data is routinely shared between thousands of diverse technologies. Some you never knew existed. If any one of these suppliers incurs a data breach – whether through human error, password re-use or misconfiguration – everyone in the supply chain is immediately at risk.
The same holds true if a Critical National Infrastructure organisation is breached by a nation state actor. Everyone in the supply chain should straight away be on red alert. In this situation there are several options available to organisations to reduce their digital risk profile. One of the most effective is to add specially tagged synthetic identities to confidential datasets. Using an automated monitoring system to identify this data outside your network perimeter can ensure that, if the data ever gets leaked or misused, you’ll be the first to find out.
The similarities between Kwampirs and Shamoon is particularly concerning, given that the latter is linked to APT33 which has recently set its sights on ICS targets. The targeting of the software supply chain vendors is consistent with APT33\’s modus operandi of compromising individuals with one or two degrees of separation from the ultimate target. Owners and operators of critical infrastructure, especially in the oil and gas sector, should be vigilant of their communications with these third parties. As a best practice, all remote access connections should be monitored to prevent an account compromise that might expose an operational technology (OT) network.