The Good

Software supply chain attacks aren’t just creeping into the threat landscape anymore – they have been fully on the rise over recent years. After multiple high-profile attacks, including those on SolarWinds and Kaseya, nation states and organizations alike have all worked to share lessons learned and raise their awareness on supply chain attacks.

This week, the NSA, CISA, and the Office of the Director of National Intelligence (ODNI) released a new set of guidelines for securing software supply chain operations. The guidelines were created in coordination with public-private cross-sector, Enduring Security Framework (ESF), to provide suppliers with best practices for planning, prevention, and response processes.

While the document lays out comprehensive instructions to help suppliers define criteria for security checks and respond to vulnerabilities, it more importantly articulates the notion of establishing shared responsibility.

“Prevention is often seen as the responsibility of the software developer, as they are required to securely develop and deliver code, verify third party components, and harden the build environment. But the supplier also holds a critical responsibility in ensuring the security and integrity of our software,” the NSA noted in their press release.

Software supply chain attacks have remained at the forefront of discussion by U.S. officials with a new federal strategy to adopt a zero-trust model announced in January of this year followed in May by NIST Special Publication 800-191 addressing supply chain risk management. The ESF is set to release another set of guidelines, focusing next on customers in the software supply chain lifecycle. This week’s release is preceded by the first in the series, a guideline created to support developers specifically.

The Bad

Popular file-hosting service, Dropbox, disclosed this week that they suffered a breach after a phishing campaign targeted employees. In their blog post, the California-based company explained that attackers accessed 130 of their code repositories in GitHub, but the breach did not include unauthorized access to user accounts, content, passwords, or payment information. Code for its core apps and infrastructure were also not contained in the compromised repositories.

This phishing campaign on Dropbox shares its roots with a campaign that targeted GitHub just a few months ago. In both cases, the threat actor impersonated CircleCI, a continuous integration software, to harvest user credentials and MFA codes. Attackers were able to breach Dropbox’s defenses by using legitimate-looking phishing emails that directed employees to enter their credentials and hardware authentication key to pass a one-time password (OTP) to a fake CircleCI site.

Dropbox revealed that the code accessed by the threat actor contained some credentials, mainly API keys used by the company’s developers, and also “a few thousand names and email addresses” belonging to employees, sales leads, third-party vendors, as well as current and past customers.

Though the company has underscored that no customer data was stolen, the need for large companies to harden their authentication protocols is clear. In this case, over 700 million registered users rely on Dropbox for folder sharing, cloud storage, file backup, task management, and document signing services.

Identity-based protection has long needed more attention with even the U.S. government mandating this year that all federal agencies are to implement both zero-trust architecture and phishing-resistant MFA. Dropbox’s blog confirmed that the company has accelerated an upgrade to their authentication tools and will soon use biometric factors or hardware tokens across its environment.

The Ugly

The RomCom RAT has come out to play again, and this time it’s using rogue versions of SolarWinds Network Performance Monitor (NPM), KeePass password manager, and PDF Reader Pro. RomCom also has been known to use trojanized variants of Advanced IP Scanner and pdfFiller.

Researchers found RomCom actors leveraging customer trust in well-known software brands to create typo-squat lookalike download sites, effectively disguising their malware as legitimate products. This is done by scraping the HTML code from the company’s legitimate site, registering a new, similar domain, and deploying targeted phishing emails or social media posts to lure in specific users.

The spoofed websites host and deploy the RomCom RAT (remote access trojan), which is capable of taking screenshots and collecting sensitive information, before exporting them back to the threat actor’s server.

RomCom seems to be expanding on this tactic now that fake Veeam Backup Recovery installers have been identified, too.

We're observing that ROMCOM RAT is now being packaged as an installer for Veeam Backup and Recovery software. This is in addition to the KeePass Password Manager and SolarWinds Orion installers identified by BlackBerry yesterday. pic.twitter.com/CHF1B9gB2M

— Unit 42 (@Unit42_Intel) November 3, 2022

Ukrainian military institutions have been the primary targets of this recent campaign though secondary targets included some English-speaking countries. Researchers commented that “given the geography of the targets and the current geopolitical situation, it’s unlikely that the RomCom RAT threat actor is cybercrime-motivated.”

Campaigns like these are part of the reason why the lines separating cybercriminals and targeted attack threat actors are blurring. The more targeted attack actors use traditional means of tooling, the harder attribution is.

For now, there are speculations that RomCom actors are potentially linked to Cuba Ransomware and Industrial Spy, but concrete evidence has yet to be found. The FBI continues to encourage organizations to bolster their defenses against spoofing, social engineering scams, and business email compromise and to report any suspected attempts to the Internet Crime Complaint Center.