A Canadian cyber security software and services company has acknowledged that it was the victim of backdoor malware inserted into one of its products two years ago in an attack detailed last week by investigators for security firm RSA .
Altair Technologies Ltd. of Mississauga, Ont., issued a brief notice on Wednesday (under โLatest Updatesโ that the RSA whitepaper related to a June 30, 2016 security notification it published on its Web site for the companyโs EvLog 3.0 Windows event log analyzer software, whose users would include IT administrators. It warned users that if they hadย downloaded or updated the software between Apr 9 and 26, 2015 there was a high likelihood the software had been compromised, and that there could be remnants even if the software was deleted.
RSA dubbed the sophisticated attack Kingslayer and didnโt identify the victim but saidย company customers include telecom providers, military organizations, defence contractors, banks and IT companies. Howeverย security reporter Brian Krebs noted the RSA report did specify the victim company issued that notification on June 30, 2016, and traced it to Altair.
Krebโs story on Tuesdayย led to Altair ownerย Adrian Grigorof giving him a statement Wednesday including the following:ย โRest assured that the EvLog incident has been reviewed by a high-level security research company and the relevant information circulated to the interested parties, including antivirus companies.โ
Krebs makes much of the quiet disclosure by Altair Technologies โ there was no link on the Web site to the 2016 notification, or evidence the company used social media to spread the word. In his defence Grigorof said he doesnโt expect a large organization would use EvLog, which he describes as โa very simple tool.โ He also said Altair doesnโt keep track of people who downloaded the tool.
This part of the story falls under the proposed breach notification regulations Ottawa is poised to release for organizations that have to comply with the Digital Privacy Act. The law specifies that organizations must disclose to customers and the federal privacy commissioner of a โbreaches of security safeguardsโ that pose a โreal risk of significant harmโ to affected individuals.
The commissioner has the discretion to make that disclosure public โ unlike several U.S. states, where all breach disclosures are automatically posted on an easy to find government Web site. Whether the proposed regulations will detail how and how much the commissioner has to disclose will be closely watched.
As for the RSA report, it calls Kingslayer a โsoftware application supply chain attackโ, in that the malware was inserted into software that spreads to other organizations. The advantage, the report notes, is thatย a single compromise gets threat actors numerous targets with minimal additional effort.ย โThis attack is different in that it appears to have specifically targeted Windows operating system administrators of large and, perhaps, sensitive organizations โฆย Nearly two years after the Kingslayer campaign was initiated, we still do not know how many of the customers listed on the website may have been breached, or possibly are still compromised, by the Kingslayer perpetrators.โ
The attack came to RSAโs attention while investigating another exploitation campaign that involved an unusual beacon signal. Soon it realized an application usedย analyze Windows logs (presumably EvLog) had been corrupted with malicious, signed code. Eventually working with the vendor (Altair), investigators concluded an application update server was where the breach took place. A subscriber updating their software got a corrupted version with the backdoor,ย made to appear authentic with a stolen code signing private key.
These โsoftware supply chainโ attacks are likely to expand, warns RSA: Not only do they lead a threat actor to multiple potential targets and evadeย traditional network analysis and detection tools, if the attacker gains access to an administrator tool it is the ideal beachhead to exploit an enterprise. โA system administratorโs workstation and cache of credentials invariably provides the most access of any system on an enterprise network,โ the report notes.
As a result RSA warns software makersย of the importance of file integrity monitoring, ย secure (dedicated or virtually private) hosting, validated time stamping of digital signatures , secure storage of and deployment of code-signing keys, ideally employing a High Security Module (HSM), comprehensive network and endpoint visibility of development environment and having a breach disclosure policy that ensures timely incident notification to affected customers.
Network admins are reminded that they are prime targets of exploits andย shouldnโt exempt their own systems, or systems to which only they have access, from network and endpoint visibility.