Cyberattacks are usually associated with data breaches where hackers steal valuable information for sale to a variety of “info merchants”. Or behind the scenes there are BDDoS=> Bot-based Direct Denial of Service attacks designed to cripple competitive websites. But as the Dark Web emerges with increasing malvolence there is an an increase of attacks on software vendors. Welcome to the Darkside of the Web.
New CyberAttack Mode – Infiltrate Software Vendor Tools
Many would argue that Ransomware has become the current attack mode of choice and the evidence can be seen in the above PDF report, But in the past half year, a new and more sophisticated line of attack has seen the infiltration and sabotaging of software vendor tools has become a preferred attack mode. And the headlines over the past year prove how widespread and lucrative it can be.
The method of used to infiltrate can vary among phishing attacks, turning a disgruntled employees or two-step sleight of hand. but the target is a hidden and well disguised code sequence that does one thing- passes permissions and control codes to third party attack tools. Here is a sampler of what can be accomplished.
Thousands of international companies and numerous US government agencies have been victims of a zero-day Exchange Server hack attack. using some of the same methods like Fishing attacks, Brute Force on weak passwords, or exploitation of failed patch updates
Microsoft says that attackers secured access to Exchange Servers either through the 4 zero day portals or stolen credentials. Then the hackers could create a web shell to hijack the system and execute commands remotely. These includie setting backdoor entrances to networked systems and siphoning reachable data.
SolarWinds supply chain hack attack
The attack inserts malicious code into Solar Winds Orion which then though supply chain updates and transfers spreads the malicious code throughout clients’ systems and servers.
The third-party software, in this case the SolarWinds Orion Platform, is broken into with carefully disguised malicious code that creates a backdoor through which hackers can access and impersonate users and accounts of the victim organizations. The malware could also access system files and blend in with legitimate SolarWinds activity without detection, even by antivirus software.,
Kaseya is the source of supply chain hack attacks
Russian Ransomware attack group REvil identified in early 2019 zero day vulnerabilities in Kaseya’s update software for its network management tools supplied to Managed Hosting Services operating in Europe, North America and Asia.
So REvil had a full year to test out its Ransomware hack code being downloaded onto a selected set of Hosting Services who in turn were infecting their clients with REvil’s ransomware code. So by June of this year when REvil activated its Ransomware and thus shut down over 1500 websites. Site owners were hit with bitcoin ransom demands to get their systems out of encryption paralysis.
jetBrains is a Czech Republic software company whose TeamCity tool is implicated in the hack attack on SolarWinds software.
What makes the situation interesting is that Jetbrains was started and is managed by three Russian software engineers with development labs in Czech Republic, Russia and the US. But JetBrains executives have acknowledged that TeamCity was used by Solar Winds but they are not aware of any investigation of TeamCity by an government or Cybersecurity agency. Instead they assert TeamCity is a complex product and “a misconfiguration” could have lead to SolarWinds misuse of the tool.
As can be seen software development tools have been the source of more ambitious hack attacks. There already is a large HACKaas aggregation of CyberHacking tools and vendors. So supporting the proliferation of Cyberattacks is a well-supplied hacking community with multiple for-hire tools.
But the second concern is the conduct of hacked software vendors like Kaseya, SolarWinds, even Microsoft. All of these vendors initially downplayed the extent of the hack infection and then delayed getting warnings and/or fixes out to customers. Recent experience with Corel Corporation’s Winzip provides an example of how NOT to treate customers.
Has Winzip’s website been hacked?
Last weekend I inadvertently deleted some Windows files. My Undelete app proved ineffective so I did a search for undelete utility which turned up WinZip System Utilities Suite.
The price and features looked right so I downloaded the software to test out its free undelete features. But first, Total AV was used to scrren the executable for any viruses – WinZip was lean. So I fired up the program and the first step was a scan:
To my surprise WinZip only provided limited initial scan controlso the scan took about 2 minutes despite thee fact the directory needing scanning was known. But i was I was relieved to see that recovery was only two steps away.. The scan report showed me that WinZip was identifying the missing folders & files:
But here is where the story turns. On the screen shot above I failed to notice the warning – “This is a free scan only version” Despite being disappointed that I could not checkout WinZip’s recovery process I decided to press press ahead, press the Register Now button,pay the $56.44CAD for 1year/website, ignore the pestering sales funnel flak about once-in-a-lifetime deals and just go get the Activation code emailed to me.
Bear with me because the the plot quickly thickens as I try to enter the activation code several times.
I try at least 5 times to enter the Activation code using copy/paste, manually with or without – dashes between the code sequence. Nothing works. So I call the Tech Support number (855)716-7029.
The support call goes awry with no answer for 5 minutes. Finally, I get connected on a third try – and the operator says due to overflowing demand a second 800 number is available. I call that number and get offered a mobile call retrieval service. I hang up and call the second 800 number again. And again there is an offer of mobile call retrieval service.I feel pranked. So I email tech support – Not good news:Given the tech support email response “…We are currently experiencing high support volume. Please allow us 7 business days to get back to your request.Multiple requests can lead to additional delays.” I have to conclude that WinZip website is under duress.
Since the 855 tech support number is no longer connected and the email request to tech support has not been received after 5 business days – I have to conclude that the WinZip has likely been hacked. But you would never know this by visiting the WinZip website. They are still selling their software as if nothing has gone wrong.
Does this sound like the downplaying and gaslighting done by the other hacked software vendors? Were WinZip’s efforts to inform and support their customers adequate?
Three weeks later – registration still does not work, no email reply from tech support, and the tech support telephone support is fruitless
The Dark Web is growing and its malevolence is becoming more pervasive. So now that software vendors are becoming part of the hacker toolset, are not these software vendors expected not just to be more vigilant of their code but also treat their potential clients and actual customers with higher frankness, transparency and support?and gaslighting