The Growing Threat of Supply Chain Attacks via Application Installers and the Importance of Post-Installation Inspection

The Growing Threat of Supply Chain Attacks via Application Installers and the Importance of Post-Installation Inspection

Introduction

In recent years, there has been a significant increase in supply chain attacks targeting software applications from reputable vendors. These attacks exploit vulnerabilities in application installers to infiltrate networks and systems, potentially causing catastrophic damage. As the risk of such attacks continues to rise, organisations should prioritise inspecting applications and their post-installation behaviours to mitigate the threats posed by phase 2 and 3 attacks. This article will delve into the importance of reviewing all application packages from vendors before releasing them to production environments. Only recently, 3CX, a popular software-based phone system company, was subject to a supply chain attack.

The Rise of Supply Chain Attacks

Supply chain attacks are malicious attempts to compromise third-party software components or services in order to gain unauthorised access to a target system. These attacks have become increasingly popular among cybercriminals as they can bypass traditional security measures by exploiting trusted relationships between software vendors and their customers. Application installers from reputable vendors are particularly attractive targets, as they can easily infiltrate a system without raising suspicion.

Phase 2 and 3 Attacks: The Hidden Dangers

Phase 2 and phase 3 attacks refer to the stages of a multi-stage cyberattack that follows an initial compromise in a supply chain attack. While these terms are not industry-standard terminology, they help illustrate the progressive nature of advanced cyberattacks. Here’s a breakdown of the different phases:

  • Phase 1 – Initial Compromise: The first phase typically involves the attacker compromising a third-party software or service, such as an application installer from a reputable vendor, to gain access to the target system. In supply chain attacks, this is achieved by exploiting vulnerabilities in the software or by inserting malicious code into the software package.
  • Phase 2 – Establishing Persistence: Once the attacker has gained access to the target system, the second phase involves establishing persistence within the network or system. This can include deploying additional malware, creating backdoors, or leveraging legitimate tools and services to maintain a foothold in the compromised environment. During this phase, the attacker works to avoid detection and strengthen their position within the target system.
  • Phase 3 – Lateral Movement and Execution: In the third phase, the attacker seeks to expand their access within the compromised system, moving laterally through the network and potentially compromising additional systems. This phase also involves the execution of the attacker’s primary objectives, such as exfiltrating sensitive data, deploying ransomware, or causing disruption to the target organisation’s operations.

By understanding the progression of these attacks, organisations can better defend themselves against the threats posed by supply chain attacks and other advanced cyber threats. Monitoring and inspecting applications and their behaviours, particularly post-installation, can help identify and mitigate risks associated with phase 2 and 3 attacks.

Inspecting Applications and Their Behaviours Post-Installation

  • To mitigate the risk of phase 2 and 3 attacks, it is crucial to inspect applications and their behaviours post-installation. Organisations should consider implementing the following steps:
  • Perform a thorough analysis of the application’s source code, configuration files, and dependencies to detect any potential vulnerabilities or malicious components.
  • Monitor the application’s runtime behaviour to identify any unusual or unexpected actions, such as unauthorised network connections, file manipulation, or privilege escalation.
  • Employ behaviour-based detection tools and security solutions that can automatically flag suspicious application activities.
  • Regularly update software and apply security patches to minimise the attack surface and prevent exploitation of known vulnerabilities.

Reviewing All Application Packages Before Production Release

Given the growing prevalence of supply chain attacks, organisations must review all vendor application packages before releasing them to production environments. This process should include:

Verifying the integrity of the application package by checking digital signatures, hashes, and certificates to ensure the software has not been tampered with.

Employing sandboxing techniques to test and analyse the application in an isolated environment safely. This allows organisations to observe the application’s behaviour without risking the security of their production systems.

Conduct regular security audits of vendors and their software development processes to assess the potential risks and ensure adherence to security best practices, like ISO27001. This helps maintain a high level of trust and confidence in the software being delivered.

Establishing a security-focused mindset within the organisation, emphasising the importance of constant vigilance and collaboration between IT, security, and development teams. This can help ensure that security considerations are taken into account throughout the software development lifecycle and in the deployment of applications.

Conclusion

As the risk of supply chain attacks using application installers from reputable vendors continues to rise, organisations must prioritise inspecting applications and their post-installation behaviours to reduce the likelihood of phase 2 and 3 attacks. By thoroughly reviewing all application packages before releasing them to production and maintaining a proactive security posture, organisations can significantly reduce the potential damage caused by these increasingly sophisticated attacks. Implementing a comprehensive approach to software security, including sandboxing techniques, regular vendor audits, and fostering a security-focused culture within the organisation, will help mitigate the risks associated with supply chain attacks and protect valuable assets and data.

 References:

(1) Gallagher, S. (2023, April 3). False Positive or the Real Deal? 3CX Supply Chain Attack Raises Questions. The Register. Retrieved from https://www.theregister.com/2023/04/03/3cx_false_positive_supply_chain_attack/

(2) Jackson, M. (2023, April). What Went Wrong with the 3CX Software Supply Chain Attack and How It Could Have Been Prevented. Security Boulevard. Retrieved from https://securityboulevard.com/2023/04/what-went-wrong-with-the-3cx-software-supply-chain-attack-and-how-it-could-have-been-prevented/

(3) Anderson, J. (n.d.). Kaseya Supply Chain Attack: What You Need to Know. Expel. Retrieved from https://expel.com/blog/kaseya-supply-chain-attack-what-you-need-to-know/

(4) International Organization for Standardization (ISO) & International Electrotechnical Commission (IEC). (2013). ISO/IEC 27001:2013 – Information technology – Security techniques – Information security management systems – Requirements. Retrieved from https://www.iso.org/standard/54534.html

Want to learn more, Why not get In touch with our team today!

Drivers vs Applications: Understanding the Differences and Implications for Installation

Drivers vs Applications: Understanding the Differences and Implications for Installation

Introduction

When it comes to software development, many misconceptions can lead to confusion or miscommunication. One such misconception is the idea that drivers are applications. While it’s true that drivers are a type of software component, they are not applications in the traditional sense.

Drivers are software components that facilitate communication between hardware and software. They are responsible for translating commands from the operating system or application into signals that can be understood by the hardware. In other words, drivers enable the hardware to function properly by providing the necessary interface between it and the software.

Despite the fact that drivers are not applications, there is a common misconception that they should or must be packaged and installed like one. This can lead to confusion, as well as issues with installation and compatibility. It’s important to understand that drivers are separate entities from applications and should be treated as such.

Separating Drivers from Application Installers

One of the most important things to understand about drivers is that they do not need to be included as part of an application installer. In fact, it can sometimes be better to separate them out and install them using dedicated tools like PowerShell Application Deployment Toolkit, MSi’s, or other supported installer formats, which support driver installation.

This means that for those using MSIX, drivers can still be deployed, but they need to be separated from the application installation process. This can be accomplished through the use of dedicated tools like PowerShell or MSIs, which allow for separate installation and configuration of drivers and applications.

Separating drivers from application installers can help to ensure compatibility and reduce the risk of issues with installation or operation. It also makes it easier to manage updates and changes to drivers, as they can be updated separately from the application.

Conclusion

In conclusion, it’s important to understand that drivers are a type of software component and not applications in the traditional sense. They are responsible for facilitating communication between hardware and software and should be treated as separate entities from applications. By separating drivers from application installers using dedicated tools like PowerShell, MSi’s, or other supported installer formats, you can improve compatibility, reduce the risk of issues, and make it easier to manage updates and changes.

Want to learn more, Why not get In touch with our team today!

appCURE accelerates Workplace and Server Transformation

appCURE accelerates Workplace and Server Transformation

appCURE is revolutionising the migration of applications to modern workspaces and server platforms. Here are three reasons why you should consider appCURE when looking at Server or Workspace transformation:

One:

appCURE offers a unique proposition when it comes to application migration. It is quite common for organisations to lose installation media over time. With appCURE, we can help resolve customer challenges with our propriety technology that enables application extraction and converts them into native MSI and MSIX formats.

Two:

appCURE eliminates the need to use type-2 hypervisors for 16bit and hybrid 16/32win applications. There is no need to containerise your apps, appCURE’s technology and solutions enable you to run your 16bit applications on 64bit Windows operating system security and natively enable direct use of USB and other device hardware requirements.

The following diagram depicts the additional resources consumed using type-2 container technology on an Azure Virtual Desktop Environment. The same principles apply for physical devices.

 

Three:

appCURE is an approved Microsoft third-party packaging provider listed on Microsoft’s website. appCURE has prioritised innovation on MSIX. MSIX is Microsoft’s emerging technology that offers native containerisation for applications. This provides enhanced control, improved security and removes Win rot, a common issue seen on Microsoft operating systems for many years.

One of the most common issues relating to a workspace or server transformation project is typically the applications. So why not reduce those long project times and migrate quicker. appCURE has the technology to help you.

Do you want to find out more and see some of our recent customer success stories, get in touch!

Want to learn more, Why not get In touch with our team today!