Supply Chain Attack Methodologies – It’s the Installer Now

Joao Correia

January 17, 2024 - Technical Evangelist

”Supply chain attack” encompasses many different forms of attacks and exploits
Yet another type was recently uncovered – malicious behavior in properly signed installers
While this particular case was not Java specific, the methodology is language agnostic

With various methods at their disposal, attackers have continually evolved their strategies, compromising everything from individual developer libraries to entire software compilation processes. In our ongoing exploration of these threats, we turn our attention to a new variant: the manipulation of installer files.

Recently, Microsoft Threat Intelligence uncovered a sophisticated attack by North Korea-based group Diamond Sleet, involving a modified CyberLink application installer. This incident underscores the universal vulnerability of software supply chains to such exploits.

Case Study Analysis: The Modified Installer File

Microsoft’s revelation about the Diamond Sleet operation unveils yet another variant on the growing zoo of attacks falling under the (very) broad “supply chain attack” moniker: attackers now embed malicious code directly into software installer files. While this incident involved a specific non-Java application, the implications are far reaching. This method can be repurposed across different platforms and languages, making no project truly safe.

The Herculean Task of In-House Supply Chain Security

These attacks are not just about causing temporary disruption; they are gateways to espionage, data theft, and significant financial losses. Imagine a scenario where a seemingly benign software update silently siphons corporate secrets or personal data, leading to catastrophic consequences.

Ensuring the security of the supply chain is akin to playing 3D chess – in addition to the multiple variants of each piece, the board itself is complicated. The vastness of this task often overwhelms internal teams. Many organizations lack the specialized expertise and resources required to navigate this labyrinth, leaving critical vulnerabilities unaddressed.

The Growing Threat Landscape

As the cybersecurity community concentrates on combating ransomware and patching known vulnerabilities, the supply chain remains a murky and misunderstood domain. Its complexity and the intricacy of the tools involved make it a prime target for attackers looking to exploit these blind spots.

In Java-land, the risks are similar. In addition to (un)intentionally malicious libraries and dependencies, installer files are also prone to similar attacks.

The difference resides in tools like SecureChain for Java, a vetted repository that offers a collection of Java dependencies, meticulously screened to ensure they are free from malicious code. By integrating SecureChain for Java into your development pipeline, you can safeguard your systems against these insidious threats, whether during development or post-deployment.

Additional Resources

For a deeper dive into the world of supply chain attacks, we recommend our previous posts detailing various types of these threats. Additionally, you can access a wealth of information on cybersecurity best practices through the following

Summary