As CCleaner illustrates, software security has a ‘systemic problem’

It’s a truism of the Digital Age that anything can be hacked. It’s also a truism that things aren’t always what they seem.

Those notions hold true for CCleaner, which, with 115 million monthly active users, is the most popular Windows system-cleaning and -optimizing software in the world. New findings about an attack on older versions of CCleaner, first disclosed last week, indicate that hackers targeted the popular third-party consumer utility in order to infiltrate corporate computer systems.

Security researchers at Avast, which sponsors this site and acquired CCleaner parent company Piriform in July, wrote in a blog post on Monday that the CCleaner hack was a two-stage infection. Malware hackers embedded in a CCleaner software update looked for specific enterprise indicators. When it found what it was looking for—an unknown trigger present on only 40 computers of the 2.27 million computers that had the compromised version of CCleaner, or 0.0018 percent—it delivered a second malicious payload.

Suspicious activity from CCleaner, first noticed in mid-August by security company Morphisec following a CCleaner update on August 15, was reported to Avast on September 12, says Avast CEO Vince Steckler, contradicting published reports. Avast confirmed on the same day that the activity was an attack, he says. Two days later, working with law enforcement officials, Avast shut down the command-and-control servers behind the attack.

The targeted nature of the attack, Steckler says, is “scary.”



READ MORE ON SOFTWARE SUPPLY CHAIN SECURITY

Hackers call for federal funding, regulation of software security
Trump’s cybersecurity order not likely to have a major impact, experts say
Parallax Primer: Why are Androids less secure than iPhones?
Time for a Department of the Internet of Things?


“They went to a heck of a lot of effort to penetrate 40 computers,” he says, adding that this kind of targeting is usually the work of nation-state attackers—or those funded by them. “The other scary thing is that it does not appear that a single security product detected the stage 1 infection, and it appears that no one detected stage 2. This was not the work of an amateur.”

To Steckler, it’s clear that expert hackers can use consumer-grade software to conduct industrial espionage. The computers affected by the second stage of the CCleaner malware attack were all connected to networks at technology, Internet, gaming, or telecommunications companies. Software companies of all shapes and sizes, furthermore, need to go to greater lengths to verify that the software they distribute is secure.

With good reason, experts have long fretted over the security of the so-called software supply chain in products as popular as Android phones, and worried about how to convince manufacturers to verify the origins of their third-party (and often open-source) software components without resorting to regulation. The CCleaner hack, which resulted in updates embedded with compromised software, has added a new dimension to their component vulnerability concerns.

“The trust problem will never be solved by piling on complexity.”—Dan Geer, CISO, In-Q-Tel

Supply chain vulnerabilities have been involved in notable online attacks at least two other times this year, says Jeremiah Grossman, chief of security strategy at SentinelOne. He points to the NotPetya attack, which used the automatic updater of an obscure but popular software program in Ukraine to gain a toehold in that country and subsequently spread across the globe; and the ShadowPad attack, which installed a backdoor on the server management software of NetSarang Computer to infiltrate South Korean banks, pharmaceutical companies, and infrastructure.

And make no mistake: Software companies are relying on pre-existing software components from partner organizations more than ever before. According to software development company Sonatype’s third annual report on the software supply chain, the demand for JavaScript components exploded from 22 billion requested components in 2015 to 59 billion requested components in 2016—a 262 percent year-over-year jump.

The issue comes down to trust, says Dan Geer, chief information security officer of the CIA-affiliated venture capital fund In-Q-Tel. Geer, an expert on technology companies’ growing reliance on open-source software libraries—and hackers’ increasing interest in vulnerabilities present in those libraries—says “there has to be a backstop, and that backstop has to be that you may forego testing if, and only if, you have effective recourse, should your trust be later shown to be misplaced.”

Because “effective recourse” is rarely acquired in cybersecurity—look no further than the latest massive-scale data breach—“the trust problem will never be solved by piling on complexity,” Geer says.

In its annual report, Sonatype advises software vendors to take three steps to better secure their products. They must view software development as a single supply chain, with a commitment to never pass on known defects; they must create “instant feedback loops” to help companies hear about and patch vulnerabilities more quickly; and they must create a culture of software development that simultaneously encourages risk-taking in software development and learning from security failures.

“This is going to be a worldwide problem. We have a systemic problem with how we update software, and we don’t have a good solution to this yet.”—Jeremiah Grossman, chief of security strategy, SentinelOne

Given that so much of the world’s software is made up of components stitched together—only 10 percent to 20 percent of proprietary software is newly written code, according to the Sonatype study—getting software developers to be more conscientious about checking their software before distributing it to users is an uphill battle that could take “arm twisting” and changes in contractual language, says Michael McNeil, global product security and services officer at Philips Healthcare.

“The new supply chain discussion has been on the back burner, and it has just now been coming to the forefront in a fast and rapid manner,” he says.

But consumers and even businesses can’t do much beyond pressure software developers to tighten supply chain security, Grossman says.

“How are they supposed to check the software update? The whole industry says, ‘Patch your stuff.’ And now you’re saying, ‘Be careful when you patch your stuff,’” he says. “This is going to be a worldwide problem. We have a systemic problem with how we update software, and we don’t have a good solution to this yet.”

Steckler says a certificate used by the CCleaner hackers to fake their access to the software’s update server was generated on July 3, two weeks before the acquisition of Piriform closed.

“In hindsight, this should have been part of the due diligence process. I’ve been through due diligence lots, and never seen the build process be part of the process.” Historically, he says, due diligence is about a company’s finances, and only touches software when there’s a legal or intellectual-property issue to sort out.

“This is a warning call that we need to be looking at the software development,” he says. “I would suspect that this is missing from most everyone’s due diligence. But it’s not missing from ours anymore.”