The National Cyber Security Centre Finland’s weekly review – 49/2022

Topics covered in this week’s review

• Android platform certificates leaked
• Dependency confusion and supply chain attacks can be difficult to detect
• Cyber attacks can have unexpected impacts on the availability of services
• Vulnerabilities

Android platform certificates leaked

In May this year, Google was notified that several platform certificates used to sign applications on its Android operating system may have been leaked. Used by Android OEMs (Original Equipment Manufacturers), the leaked certificates can be likened to digital signatures, the purpose of which is to authenticate the Android operating systems used on mobile devices. According to public reports, the leaked certificates belong to Samsung, LG, MediaTek and Renoview, among others. [1]

The greatest risk resulting from the leak is that the certificates can be used to sign malicious applications. Such applications would be identified by the Android operating systems as having the same certificate as the operating system itself, as a result of which they would be given system-level, i.e. the highest possible, access to the device. However, according to Google, any malware signed this way would still be identified by the security mechanisms of its Google Play Store. As such, only applications downloaded from other sources besides official application stores, such as Google Play or the Galaxy Store, are at risk. The APKMirror service that monitors Android applications has identified over 1,700 applications that are still using the leaked platform certificates. [2]

According to Samsung, their leaked certificate may have been used for malicious activities as early as 2016. This was discovered when a suspected malicious application signed with Samsung’s platform certificate was submitted to the VirusTotal service. According to Samsung, there have been no known security incidents regarding this potential vulnerability, however. [3]

Below are some steps that users can take to mitigate the risks posed by the leak:

1. Always install the latest operating system updates on your devices.
2. Always install the latest application updates on your devices.
3. Download applications only from official application stores.
4. If you have a device that is no longer being supplied with updates, you should give serious consideration to replacing the device with one that is still being supported with security and operating system updates.

Dependency confusion and supply chain attacks can be difficult to detect

In today’s society, no one can operate completely on their own. We all depend on a variety of services in our everyday lives, and organisations are also dependent on one another. For example, grocery shops need food products to sell, their manufacturers need high-quality ingredients, and both need drivers to transport their products. These drivers, in turn, need a maintained road network, which is the end result of a maintenance process dependent on a variety of factors.

All organisations have dependencies, but not all organisations are dependent on the same things or operators. And just like the real world, where different operators are dependent on one other, the digital world is also full of various types of interdependencies.

Identifying and maintaining awareness of dependencies is an essential part of organisations’ risk management. In addition to things like services, workstations and operating system updates, organisations are also dependent on software libraries. These software libraries can be proprietary, public or based on hybrid models, for example.

The files, software and systems that organisations use form complex and long supply chains. To genuinely manage the risks associated with these supply chains, organisations need to be aware of all the different parts that they consist of.

In a supply chain attack, the information systems of an organisation are breached via the networks, services, products or open source projects it uses. The attack exploits the trust of organisations in their suppliers. The attack vector may involve partners, service providers, software or devices.

The attackers penetrate the supplier’s systems and infect the part used in the supply chain with their own malicious code, after which it spreads via the normal product distribution channel to the partner and customer organisations.

The aim of a supply chain attack is to gain a foothold in different organisations along the supply chain. Once a foothold has been secured, it can be used in different kinds of further attacks, such as data breaches and ransomware attacks.

The detection and management of supply chain attacks is important because they can have a major impact on the reputation and trust of the organisation in the network. The victims of a supply chain attack include both the supplier and the customer. As such, managing supply chain attacks requires openness and cooperation between different parties.

Detecting an information security breach that has occurred via a supply chain may be challenging, because the attacker exploits the organisation’s trust in its partners. The intrusion is often carried out by using the partners’ connections or infecting an application provided by them. In such cases, the attacker does not yet do anything that could be interpreted as suspicious or harmful at the intrusion stage.

Cyber attacks can have unexpected impacts on the availability of services

In a networked world, the woes of one quickly become the woes of many, and cyber attacks are often intended to harm not only the party being attacked, but others as well. Just this week, there have been reports of problems stemming from interdependencies and supply chain challenges at least in Belgium, Sweden, Germany and New Zealand.

In Sweden, there have been reports of a suspected cyber attack that threatens to leave up to 35,000 Swedes without social security benefits, at least temporarily. The cyber attack on IT service provider Softronic was detected on Friday 2 December and resulted in the systems of Sweden’s unemployment fund (Sveriges A-kassor) being completely shut down as a precaution. The incident is still being investigated by the police and the Swedish Civil Contingencies Agency (MSB). [1–4]

In New Zealand, a ransomware attack on an IT service provider has had cascading effects on several government agencies, preventing access to health care information, for example. According to reports from the Ministry of Justice of New Zealand and some private sector operators, the attack has also affected their access to various records. [5]

In Belgium, a cyber attack has disrupted the services of the City of Antwerp. Although targeted at the City’s IT service provider Digipolis rather than the City of Antwerp itself, the successful attack nevertheless paralysed a large proportion of the City’s digital services. The exact nature of the attack has yet to be confirmed, but it is suspected of being a ransomware attack. [6] Cyber criminals looking to make money do not care who their attacks end up hurting, as a result of which it is often regular citizens, such as the residents of Antwerp in this case, who end up becoming victims.

In Germany, the Volkswagen car manufacturing complex in Wolfsburg is currently suffering from severe production issues. According to Volkswagen’s COO, the company is facing “flat-out chaos” in the supply chain, with suppliers cancelling orders and the prices of microchips having increased several hundred per cent, for example. [7] Although not caused by a cyber attack, the production problems faced by Volkswagen’s production plant are a good example of the importance of a well-functioning supply chain. The Volkswagen case is an excellent reminder of the fact that supply chain problems can be caused not only by cyber attacks, but problems in the physical world as well.

Preparing for security incidents is a good way to reduce their severity and make it possible to recover quickly and continue the business. Organisations can assess their own readiness by using the Kybermittari (Cybermeter) cyber security evaluation tool of the NCSC-FI, for instance. [8] An incident response plan that has been drawn up in advance is a good starting point for what to do in case of a security incident. Organisations must also ensure that measures such as locking user IDs, isolating servers and terminal devices from the network and restricting network traffic to harmful IP addresses or domain names are technically possible and that their personnel have the expertise required to carry them out.

Gathering, compiling and monitoring log data is important in order to detect incidents in time. Log data also make it possible to investigate incidents thoroughly, which speeds up the cleaning and restoration of the IT environment. The NCSC-FI has drawn up a guide on how to collect and use log data [9]. Depending on the systems used by the organisation, comprehensive monitoring typically also requires network- and system-level solutions in addition to this.

Vulnerabilities

CVE: CVE-2022-4262 (External link)
CVSS: 8.8
What: RCE (Remote Code Execution) vulnerability
Product: Google Chrome browser
Fix: Update Chrome as soon as possible; instances of the vulnerability being exploited have already been reported around the world.

Subscribe to the NCSC-FI’s newsletters or RSS feeds to be notified as soon as new information is published.