Websites that require security software downloads have opened the door to chain attacks

Malicious hackers compromise financial and government websites in the newly announced distribution chain attack, so they will undoubtedly deliver malware to visitors. Tactics demonstrate the risks that users may have to download in order to properly use your site.

A Website This week, ESET researchers accused the Lazarus group or North Korean ABD group known as the Hidden Cobra of attacking some South Korean websites, paradoxically requiring visitors to install special security software on their devices before using the site.

This installation process is powered by a downloadable integration installation utility called Visvera Veraport. According to ESET, some websites require users to install Visvera Veraport so that the required browser plug-ins, security software or identity verification software are installed automatically with minimal user interaction.

While not a compromise on Visvera Veraport’s own infrastructure attack, some of the websites that support Visvera Veraport were vandalized, thus being attacked by those who could replace the usual Veraport software bundle with malware.

This leads to the question: Do users need to download software that is a precursor to using someone’s website or online services – even if it is security software – introducing more risk than reward?

“Generally, [it] That sounds like a bad idea, but it’s risky, “said Richard Absalom, a senior research analyst at the Information Security Council. Absalom notes that in this recent Korean case these were compromised websites, which could be compromised or trojanized by third-party software itself and could become a “point of failure” for many companies and thus “sink from safety”. View.

This recent incident is somewhat reminiscent of another activity in which attackers embedded malicious door tax and accounting software that Chinese banks need to download to do business with its business customers.

Moreover, “a similar demand for third-party software was at the center of the most devastating cyber attack in history: Notepadia,” said Absalom, disguising himself as a ransomware about the destructive Russian wiper. “In order to do business in Ukraine, companies must have MEDoc installed the accounting software, and it’s a vulnerability in that software, which was exploited by Notepadia, resulting in the closure of businesses around the world.”

However, the scale of the attack was so small that the attackers were able to compromise first, as the attack was limited to any websites. For the campaign to work, the website must support Visvera Verport and have a server-side Verport configuration that allows criminals to replace normal bundled software with malware. Configuration In the most secure cases, attackers distribute payloads using a valid code-signing certificate.

ESET senior malware researcher Peter Kalnoi acknowledges that websites increase software downloads when needed, but not as much as you might think if a third-party code provider is a trusted company. “Of course, the risk may be higher if third parties are not pushed into responsible behavior.”

However, it is better for website operators to avoid introducing more risk to consumers in their own environment by downloading unwanted code. Fortunately, websites for US banks, government agencies and other regulated companies generally do not order their customers to download any particular brand of software to interact with them.

But outside the United States, this is an issue.

In 2016, the South Korean government decided to escape the outdated technology of ActiveX [as a software plug]Therefore, it began to support alternative software and mobile platforms with the direct assistance of FinTech startups. However, the Japanese official tax system for individuals and companies will need ActiveX and Internet Explorer by 2020, ”said Kalna. “In new trends, though [software downloads] This will increase the problem of utility interactions between banks, customers and third parties such as payment services orders in the EU.

In addition, “In the UK, many banks ask customers to use Raport, a third-party security software,” Absalom said. However, they only recommend that users download the software. They did not force it. ”

Websites that require these types of downloads, even if they do not, may have trouble gaining the trust of some customers. “There is a question about usability and trust,” Absalom said. “I am wary if a website tells me to download anything, without downloading. I am immediately surprised that this is systematic. This does not apply to every user, but can bother a significant number. ”

Besides, “most companies can provide all the necessary functionality using their own software, e.g. secure identification and authentication, encryption,” Absalom said, without trusting third-party code. “For websites that handle sensitive customer data [including] Payment details, as a customer you can expect it to be configured on the platform. ”

On Nov. 18, the Korean C.E.R.T. Advice Veraport advises users to make sure they are using version 3.8.5.0 or higher to avoid exploitation.