How to Manage Ongoing Threats and Breaches

After nearly 30 years in IT and cybersecurity, I have seen and learned much that surprises me. What doesn’t surprise me, however, is the uptick in cyberattacks, especially since the financial gains can be tremendous for the bad guys.

What we in the cybersecurity and IT industry are now starting to see is an increase in the exploitation of software by hackers looking for a way to crack into data networks using trusted vendors without being spotted by the firewall. Here’s a look at what is happening with supply-chain software and how businesses can address it.

The Microsoft Case

Microsoft recently confirmed signing a malicious driver being distributed within its gaming environments, according to a piece by The driver, called “Netfilter,” is a rootkit that was found to be communicating back to Chinese command and control (C2) IPs.

A rootkit is a type of malware that is designed to remain hidden on a computer. Though you may not know a rootkit has taken hold on your device, they actively work to access you private files. A rootkit can take the form of a Trojan, worm, or virus that can conceal their existence from the device owner. Rootkits are often able to access information without the user or network knowing.

The incident stemmed from a weakness in Microsoft’s code-signing process, exposing a threat to software supply-chain security. Karsten Hahn, a malware analyst at G Data, noticed a cybersecurity alert system flagged a Microsoft signed driver called “Netfilter” a false positive alert. While the driver seemed innocuous enough, Hahn became suspicious of the driver when it was seen communicating with China-based C&C IP. There was no reason a Microsoft driver should have been communicating with an IP address based in China.

Hahn contact Microsoft and then shared the suspicious activity publicly. After working with Microsoft, Hahn took more time to analyze the driver. The conclusion Hahn arrived at was that the driver was malware.

“In this case, the detection was a true positive, so we forwarded our findings to Microsoft who promptly added malware signatures to Windows Defender and are now conducting an internal investigation,” G Data Software wrote in a June 25, 2021, blog. “At the time writing it is still unknown how the driver could pass the signing process.”

What this means is that the Chinese had used a rootkit to enter into gaming environments under the trusted name and seal of Microsoft.

The Western Digital My Book Live NAS Case

Microsoft wasn’t the only company to have a bad June. Western Digital identified a zero-day vulnerability in its My Book Live NAS. Hackers were able to use a new-found vulnerability in addition to a previous vulnerability (CVE-2018-1847) to carry out a huge breach. The cybercriminals conducted mass-factory resets of devices that led to data loss on a large scale. Live devices were wiped clean.

As a result of the attack, many My Book Live NAS users reported lost files, even in backups. Additionally, many also reported network storage appliance factory resets had occurred. While the company has not identified one attacker, the company’s researchers believe there may have been several attackers that acted simultaneously.

This attack is yet another example of exploitation of vulnerabilities in the software supply-chain. While there are recommendations for alleviating the problem including separating the My Book Live device from your network, experts are still working on identifying all details regarding the vulnerability and how to address them, according to a report.

The Kaseya Hack

The recent Kaseya hack less than two weeks ago is yet a third example in recent weeks of vulnerabilities in the software supply chain being hacked. Kaseya provides software to managed service providers (MSPs) offering ongoing monitoring and managed services to their endpoint clients.

As a result of the hack, Kaseya reported 50 to 60 of its MSP clients were hacked through the software resulting in roughly 1,500 endpoint clients experiencing a ransomware attack. The United States Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) became involved in investigating the attack. That investigation concluded that the hacking group REvil (pronounced R Evil), based in Russia, was responsible for the attack.

REvil ultimately demanded $70 million for a decryption code to unencrypt all of the data it had taken ransom in the attack. The hacking group has since lowered its ransom request to $50 million. Victims of the ransomware attack have refused to pay the ransom as of last week, according to another online article by

Our Theory at Dox

So why are hackers interested in gaming environments and infiltrating the software supply chain? At Dox, we are now theorizing that bad actors are now buying software from companies so they can reverse engineer them, identify vulnerabilities, and then exploit them for ransom.

Through “reverse engineering,” cybercriminals can commit these hacks both outside and inside the firewall of a company as the vulnerabilities are hidden within the software. As soon as your business installs the software with security vulnerabilities, your data and entire network become vulnerable.

Additionally, we believe the recent attack on Microsoft gaming environments could be proof of concept attacks as well. Gamers have no real money so there’s no financial gain for bad actors to attack them. That is, unless, they are using an attack on Microsoft gaming networks as a way to see if they can crack into file drivers, which they did successfully. If hackers can access the “Netfilter” driver for gaming environments, then they could potentially use the same type of attack to break into businesses through other trusted software programs.

So What’s a Business To Do?

There are still several measures that businesses can take to safeguard their data and networks. First, ensure that you have a modern, updated firewall in place as well as anti-virus and anti-malware programs. You will also want to ensure all updates and patches are occurring on a regular basis. Updating daily such as during the night may be a good time for businesses that operate during the day, for example.

Next, ensure that all data is backed up on a separate network (think cloud computing here). This can be done automatically and affordably, even for small businesses. Ongoing monitoring is another way for you to “watch” for oddities occurring within your network. The sooner you can identify a threat, the sooner you can address it.

Finally, buy software from trusted vendors. Buy software that does double-duty to save money and reduce the number of programs that are installed behind your firewall. Look at consumer reviews and consult with a third-party IT and cybersecurity partner such as Dox for recommendations on the best software to address your business needs.

For more information about shoring up your businesses cybersecurity, data backup, the potential for cloud computing and more, visit Dox Electronics online or call (585) 473-7766.
Share This Posting
Copyright ©   DoxWeb Design & SEO by Scriptable Solutions