This article originally appeared on Security Magazine. Click the link below for the full version.
Last month’s ASUS APT attack doesn’t come as a surprise to any security-conscious industry watcher – this highlights a long-standing flaw in many software supply chains today. Attackers have been engaged in spoofing websites, stealing credentials and gaining unauthorized access for years. Injecting malicious code into legitimate tools that are designed to protect represents the next evolution in putting companies and their customers at risk. Code signing was established as a digital seal that allows an organization to verify the identity of the software publisher and ensure that code has not been tampered or changed prior to download. However, if the code singing certificates are not properly managed, then an attack like the recent ASUS hack (or potentially worse) is the result.
In the case of ASUS, attackers exploited code, planting and deploying malware in an update that looked legitimate. With no way to disseminate whether valid signed certificates contain good or bad updates, businesses consuming the software and running standard updates then became vulnerable to attack.