Altair Technologies Ltd. of Mississauga, Ont., issued a brief notice on Wednesday (under “Latest Updates” that the RSA whitepaper related to a June 30, 2016 security notification it published on its Web site for the company’s EvLog 3.0 Windows event log analyzer software, whose users would include IT administrators. It warned users that if they had downloaded or updated the software between Apr 9 and 26, 2015 there was a high likelihood the software had been compromised and that there could be remnants even if the software was deleted.
RSA dubbed the sophisticated attack Kingslayer and didn’t identify the victim but said company customers include telecom providers, military organizations, defense contractors, banks and IT companies. However, security reporter Brian Krebs noted the RSA report did specify the victim company issued that notification on June 30, 2016, and traced it to Altair.
Kreb’s story on Tuesday led to Altair owner Adrian Grigorof giving him a statement Wednesday including the following: “Rest assured that the EvLog incident has been reviewed by a high-level security research company and the relevant information circulated to the interested parties, including antivirus companies.”
Krebs makes much of the quiet disclosure by Altair Technologies — there was no link on the Web site to the 2016 notification or evidence the company used social media to spread the word. In his defense, Grigorof said he doesn’t expect a large organization would use EvLog, which he describes as “a very simple tool.” He also said Altair doesn’t keep track of people who downloaded the tool.
This part of the story falls under the proposed breach notification regulations Ottawa is poised to release for organizations that have to comply with the Digital Privacy Act. The law specifies that organizations must disclose to customers and the federal privacy commissioner of a “breaches of security safeguards” that pose a “real risk of significant harm” to affected individuals.
The commissioner has the discretion to make that disclosure public — unlike several U.S. states, where all breach disclosures are automatically posted on an easy to find government Web site. Whether the proposed regulations will detail how and how much the commissioner has to disclose will be closely watched.
As for the RSA report, it calls Kingslayer a “software application supply chain attack”, in that the malware was inserted into software that spreads to other organizations. The advantage, the report notes, is that a single compromise gets threat actors numerous targets with minimal additional effort. “This attack is different in that it appears to have specifically targeted Windows operating system administrators of large and, perhaps, sensitive organizations … Nearly two years after the Kingslayer campaign was initiated, we still do not know how many of the customers listed on the website may have been breached, or possibly are still compromised, by the Kingslayer perpetrators.”
The attack came to RSA’s attention while investigating another exploitation campaign that involved an unusual beacon signal. Soon it realized an application used analyze Windows logs (presumably EvLog) had been corrupted with malicious, signed code. Eventually working with the vendor (Altair), investigators concluded an application update server was where the breach took place. A subscriber updating their software got a corrupted version with the backdoor, made to appear authentic with a stolen code signing private key.
These “software supply chain” attacks are likely to expand, warns RSA: Not only do they lead a threat actor to multiple potential targets and evade traditional network analysis and detection tools, if the attacker gains access to an administrator tool it is the ideal beachhead to exploit an enterprise. “A system administrator’s workstation and cache of credentials invariably provides the most access of any system on an enterprise network,” the report notes.
As a result RSA warns software makers of the importance of file integrity monitoring, secure (dedicated or virtually private) hosting, validated time-stamping of digital signatures , secure storage of and deployment of code-signing keys, ideally employing a High-Security Module (HSM), comprehensive network and endpoint visibility of development environment and having a breach disclosure policy that ensures timely incident notification to affected customers.
Network admins are reminded that they are prime targets of exploits and shouldn’t exempt their own systems, or systems to which only they have access, from network and endpoint visibility.