How Businesses Can Unwittingly Work For Criminals In Supply Chain Malware Attacks

How would your business partners react if they discovered your emails had been infecting their systems with malware?

It was an urgent consideration for two UK law firms who found that unexplained code was being written into some of the thousands of documents they sent out to clients and supply chain partners every day. There was the possibility that somehow criminals were using them to spread malware, levering open the systems of their clients to steal intellectual property, uncover deals being negotiated, or to ransom essential data. The consequences of this in the legal world, where trust and confidence are everything, could effectively have destroyed their businesses.

Unexplained code in attachments

In the first incident, code was being inserted into documents by the law firm’s PDF-writing software. At the second firm, the document scanner was incorporating unauthorised code into the structure of digital files it was generating. In each of these separate cases, the code could easily have been the trigger for a massive cyber-attack on anyone receiving the documents as email attachments.

Both incidents demonstrate how cyber risk is moving much more heavily into the supply chain. Criminals are fully aware that any major organisation they want to target is only as safe as its least-secure supplier, which they can use as a backdoor means of illegal entry. In many ways it was a matter of luck that the code in these two incidents was anomalous rather than malicious, requiring investigation of flaws in the software responsible, a product used on a daily basis by all staff.

Malware is a national security issue

Each case illustrates the increasing inevitability of malware being insinuated into document-writers, computer hardware and in the chip sets that power them. With secure chip sets so fundamental to our digital future, the UK government must surely be concerned that a leading UK chip-maker such as Imagination Technologies is set to fall into the hands of Chinese state-backed private equity investors Canyon Bridge. This is after all, a company barred by US President Donald Trump from buying an American rival because of national security sensitivities.

In the meantime, organisations with substantial supply chains that include major clients with highly value intellectual property need to take every step to protect themselves. These two firms were protected because they have embraced innovation and installed file-regeneration technology that examines every out-bound file. Examining each file down to byte-level against manufacturers’ standards, it detected the anomalies.

The old defences are breached every day

Had they been deploying traditional anti-virus technology, however, these two law firms would have carried on dispersing unauthorised code. Unrecognised by the anti-virus industry, which focuses on “signatures” that have already been detected, pieces of newly-written code sneak through systems and are able to trick their way through sandboxing applications.

The constantly evolving sophistication of criminals using malicious code of this type leaves organisations hopelessly vulnerable if they are content to rely on a combination of anti-virus solutions and encryption to maintain security. The threats within JavaScript, Flash, encrypted and embedded files may be well-known, yet the biggest sources of danger are inside the structures of common files such as PDFs, Excel and Word.

In a recent 30-day period, for example, we found that almost three-quarters of all the threats eliminated through file-regeneration were zero-day attacks that would have been completely missed by standard anti-virus technology because they had not previously been assigned an identifying signature.

In fact the detection the incidents at these two law firms should act as a warning to every business. More than 90 per cent of successful cyber-attacks commence when someone unknowingly opens a common attachment such as a PDF, Word, PowerPoint or Excel file that has been subtly altered to act as a malware trigger.

National security must go all the way down to byte-level

The chief means by which organisations can prevent themselves being turned into malware hubs is file-regeneration which will conduct byte-level examinations of each document in fractions of second, generating a clean and sanitised version that can be used in total safety. The technology has already detected a two-byte change hidden by criminals inside a PDF file structure in order to crash the recipient’s reader so that malicious code would trigger a malware attack.

Once files have been sanitised, outbound email attachments can be sent in full confidence, having been cleared of all malicious code. The intelligence derived from this technology also gives organisations vital insights into the nature of the threats they are facing and how criminals are adapting code or shifting vectors.

In the absence of technologies such as file-regeneration (also known as Content Disarm & Reconstruction) organisations risk becoming the unwitting malware hubs of criminals, facing potentially huge legal liabilities and the nuclear destruction of all reputation. While the threats proliferate and states with tarnished security records reach ever-more deeply into cyber space, the only certain defence now is innovative technology.