Today’s supply chain attack is interesting. I guess I can say that because it didn’t happen to a web site that I own and my information didn’t get stolen.
Here is the situation. Many web sites have embedded videos on them. In this case, most of the sites affected were real estate web sites and they often have virtual tour videos on the web page. In order to play a video, you need a video player. There are many video players that you can choose from, but what almost no one does is write their own video player.
Palo Alto Networks found over a hundred web sites, many or most of them (depending on which story you read) belong to the real estate firm Sotheby’s.
What happened? Some how a malicious version of the video player got loaded onto these web sites. When a visitor went to the site, the video player code was downloaded to the visitor’s computer. In this case, the malware was a data skimmer which steals information that the user provides to the website. It could be name and address information or it could be credit card information. The information can be used for social engineering or financial crimes.
The malware is polymorphic, meaning that no two copies of the malware are the same, making it difficult to detect and block. The code is also obfuscated, which makes it difficult to read and understand, so even if tried to figure out if it was malicious, it is unlikely that you could figure that out.
Now that this particular attack has become public, hackers all over the world are going to copy it. All it takes is a web site hosting the code with lax security. The hacker can then compromise the code and wait for a developer to use it.
This is not at all limited to video players, even though there are thousands of them. Any bit of shared code that is hosted in the cloud and linked to by developers is a valid target.
This means that you need to have a robust software supply chain risk management program in place, unless you want to be like these firms and dealing with a shattered reputation.
If you need help with this, please contact us.
Credit Threatpost and Bleeping Computer