News today reported that Asian game developers again targeted in supply-chain attacks distributing malware in legitimately signed software. This is not the first time attackers target the gaming industry in this way. They have already compromised game developers, inserted backdoors into a game’s build environment, and then had their malware distributed as legitimate software. The structure of the malware is relatively simple, but the interesting part of the story is the following.
The malefactor changed a build configuration rather than the source code itself.
Gaming aside, this attack strategy is a winning solution in general. Also, it is one more reason to add the supply chain check in the penetration testing logic and risk modelling. Moreover, it’s not the first case of this type: already in the past malware tried to sneak in the systems with an official channel, embedded into signed software. It happened for all the platforms, iOS included (e.g., XcodeGhost, which affected the compiler and the source code, differently from this attack).
This happened in the gaming industry, which is one of the most controlled supply chains, among the big ones. Just imagine a similar situation in a less regulated context, such as medical devices and their software in the hospitals.
The risk landscape is continuously evolving and changing. It’s important to keep your strategies aligned.
This article has been written by project member Cefriel. Cefriel is a digital innovation centre creating and rethinking products, services and processes to enhance and develop digital technologies.