Attacks on the supply chain are notoriously difficult to stop.
Attacks on the supply chain are notoriously difficult to stop.

Investigative reporter Brian Krebs has uncovered a software vendor which has attempted to downplay a major breach of its systems in a “supply-chain attack”.

During RSA 2017 in California, RSA released a report that detailed a malware campaign dubbed “Kingslayer” that piggybacked on a popular piece of software used by system administrators at some of the US's largest companies, which helps better understand Windows system events logs.

The report says the event log management software was only compromised for two weeks –from 9 April 2015 to 25 April 2015 – whereby the attackers compromised the website which helps sell the software.

Krebs said that, “the intrusion was likely far more severe than the short duration of the intrusion suggests.” Because, “in addition to compromising the download page of the software package, the attackers also hacked the company's software update server,” which would likely mean those with the software already installed might already have the compromised version.  

Krebs said, “incredibly, the report did not name the affected software, and the vendor in question has apparently chosen to bury its breach disclosure,” adding, “as a result, that received very little press coverage relative to its overall importance.”

RSA said that in April 2016 it “sinkholed” or “took control over the website that the malware used as a control server” and said the victims included five major US defence contractors; four major telecommunications providers; 10+ western military organisations; more than two dozen Fortune 500 companies; 24 banks and financial institutions; and at least 45 higher educational institutions.

Krebs said RSA declined to name the software vendor whose site was compromised, but said the company issued a security notification on its website on 30 June 2016 and updated the notice on 17 July 2016 at RSA's request, as it discovered a defence contractor's network had been compromised.

Giving Krebs a major clue, RSA noted that the victim software firm had a domain name ending in “.net,” and that the product in question was installed as a Windows installer package file (.msi).

Using that information, Krebs said, “an internet search for the terms event log security notification April 2015 turns up a breach notification from 30 June 2016 about a software package called EVlog, produced by an Altair Technologies Ltd.”

Krebs added: “The timeline mentioned in the breach notification exactly matches the timeline laid out in the RSA report.”

Commenting on the lacklustre breach notification, Krebs said, “this one is about the lamest I've ever seen given the sheer number of companies that Altair Technologies lists on its site as subscribers to eventid.net, an online service tied to EVlog.”

Adding, “I could not locate a single link to this advisory anywhere on the company's site, nor could I find evidence that Altair Technologies had made any effort via social media or elsewhere to call attention to the security advisory; it is simply buried in the site. A screenshot of the original, much shorter, version of that notice is here.”

After remaining silent, The owner of Altair Technologies, a programmer named Adrian Grigorof, emailed Krebs a statement justifying the largely downplayed breach notification saying it was under an NDA, and that, “we don't keep track on who downloads and tries this software, therefore there is no master list of users to notify. Any anonymous user can download it and install it.”

Adding, “I'm not sure what you mean by ‘you still haven't disclosed this breach' – it is obviously disclosed and the notification is on our website. The notification is quite explicit in my opinion – the user is warned that even if EvLog is removed, there may still be other malware that used EvLog as a bridgehead.”