14 DAY TRIAL // Microsoft warns of a new series of attacks that are trying to hijack the update system of a popular software application in order to deploy malware on computers owned by financial organizations and payment services.
The company hasn’t disclosed the name of the software solution that’s being attacked, but it did reveal that it’s a very popular editing application, adding that the software vendor that created it is also experiencing a number of attacks.
This new series of attacks was detected by the Windows Defender Advanced Threat Protection (Windows Defender ATP) research team, who revealed that the company which developed the targeted software was unaware of the issue.
“Its early discovery allowed incident responders - a collaboration of security experts from the targeted industries and developers working for the third-party software vendor - to work with Microsoft security researchers to promptly identify and neutralize the activities associated with this cyberespionage campaign,” Microsoft says.
By hijacking the software update system, hackers managed to deploy an executable file on the target computers which was then used to gain remote access privileges, thus getting full control over their targets.
PowerShell scripts to get control of the system
The executable file uses PowerShell scripts bundled with the Meterpreter reverse shell, which can provide the attacker with silent control without users noticing it. Microsoft flags the file as Rivit.
The software giant says a similar technique was used in the past on several high-profile targets, though in this case the attacks are specifically aimed at more valuable systems.
“This generic technique of targeting self-updating software and their infrastructure has played a part in a series of high-profile attacks, such as unrelated incidents targeting Altair Technologies’ EvLog update process, the auto-update mechanism for South Korean software SimDisk, and the update server used by ESTsoft’s ALZip compression application,” the company adds.
Microsoft says that third-party software developers should improve the security of their update mechanism, pointing out that strong encryption has become a must-have given the increasing number of attacks attempting to hijack these systems.
Software makers should not allow blind execution, the company says, and validating digital signatures against own certifications should always be done.