11월 3, 2021

Are We Ready for Mass-Market Malicious Updates?

Forcepoint Future Insights 2022 Series—Part 2
Stuart Taylor Sr. Director, Security Labs

Welcome to the second post in our Forcepoint Future Insights series, which offers insights and predictions on cybersecurity that may become pressing concerns in 2022.

Here is the next post from Stuart Taylor, Senior Director of Forcepoint's X-Labs.

In November 2020, the Sunburst incident shocked the industry. Using highly sophisticated malware hidden inside legitimate software updates, the attackers not only exfiltrated targeted data but also spread the malware across a huge number of victims.

It was an unusually complex and sophisticated attack. Data-exfiltration malware named Sunburst was delivered via the SolarWinds Orion software, a trusted update which was delivered to more than 18,000 public and private organizations. Laying dormant for up to 14 months, the malware then began its work of exfiltrating data. This is now recognized as the biggest example to date of a supply chain attack, impacting US government organizations, huge enterprises including FireEye, Microsoft and Deloitte, as well as thousands of smaller companies. We still don’t fully understand the complete picture, and despite a patch being available, live malware may still be in the wild.

Hindsight is a wonderful thing, but this supply chain attack was not the first. Petya back in 2017 took advantage of this method, Asus Live Update users suffered the same fate in 2019, and phishing emails have been using software update lures to trick people into downloading malware for several years.

Once a technique is proven to work – and with dramatic and headline-grabbing results – copycat attacks will follow. We’ve already seen Kaseya, an Irish IT solution provider, be hit by a similar technique in summer 2021, where its remote-monitoring tool was infiltrated with malware, allowing attackers access to multiple end-customers.

"In 2022, we expect to see a significant rise in criminal copycats delivering a variety of malware via software updates."

Taking a closer look at software attack vectors

It's clear that both nation-states and hacker groups alike will continue to target supply chain providers across multiple industries. I’ve written about how technical debt can make organizations vulnerable. That’s one consideration. But how and where are bad actors launching new attacks? What other attack vectors could be exploited?

While attacks like Sunburst, ransomware attacks perpetrated by the REvil group such as against Kaseya and others continue to draw mainstream attention, one lesser-reported hack in 2021 caught my attention: the four OMIGOD vulnerabilities that affect the Open Management Infrastructure (OMI) software agent on Azure Linux machines.

Open source projects continue to grow exponentially. It’s true that open source software security has improved dramatically over the last 10 years, and it’s no question that open source software vulnerabilities are being patched at  a much more rapid pace. That’s the good news. But it’s also true that open source supply chain attacks are increasing at an alarming rate. In its 2021 State of the Software Supply Chain report, Sonatype estimates 12,000 attacks on open source projects occurred—representing a 650% increase year over year.


The competitive priority placed on innovation and relentless focus on shortening time-to-market drives organizations large and small to adopt open source projects. Government agencies and private sector organizations alike feel the pressure to innovate and to deploy software projects at an ever-increasing rate. But the adage to ‘move fast and break things’ comes at a cost, especially from a cybersecurity perspective.

As such, it’s imperative for each of us across the public and private sector to prioritize security across every one of our open source projects. Leveraging open source is partly about innovation and time to market. But organizations must perform due diligence at many stages throughout a project. That translates to multiple layers of code review both at the start of a project and throughout the development and deployment process. No small undertaking indeed - and made even more complicated when you consider exploits can come from bad actors outside or via internal resources working on those projects.

How can we protect ourselves?

A key weapon in the fight against malicious software updates is addressing technical debt. This is the difference between the ‘price’ (time, human resources, technology investment) a technical project should cost in order to be perfect and future-proofed, and the “price” an organization is prepared to pay at the time. Products can get behind the curve due to reduced investment, but a lot of this debt centres around applying software updates – absolutely necessary, and so often overlooked.

Even though there is the possibility that malicious actors (whether nation-state or financially-motivated criminal!) may output malware through software updates, IT administrators must keep on top of applying updates and patches as they come in.

If technical debt builds, vulnerabilities and security holes will provide a way in for attackers – and the combination of new malware delivery techniques plus unpatched vulnerabilities causes concern.

In addition, with the increase in hybrid working, end users are having to be more responsible for patching and updating their systems. This could lead to either updates not happening at all, or updates being applied by those unused to the task, meaning they are more likely to accept behavior IT teams would spot as suspicious. Leaders should ensure that cybersecurity training is rolled out and regularly updated, to ensure employees act as a first line of defense.

The Sunburst malware wasn’t the first incident to take advantage of malicious software updates and it certainly isn’t going to be the last, but with company-wide awareness and strong patch management we can raise our defenses.

Stuart Taylor

Sr. Director, Security Labs

Stuart Taylor is the Senior Director of Forcepoint X-Labs and is based in the UK.  Stuart has over 20 years of experience in the cybersecurity industry.  Prior to joining Forcepoint he spent several years running the Global Engineering Operations and UK Threat Lab of...

Read more articles by Stuart Taylor

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.