Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Operation WilySupply – Software remote update channel of the supply chain exploited as attack vector

Microsoft has recently uncovered an attack dubbed Operation WilySupply that leveraged the update mechanism of an unnamed software editing tool to compromise targets. The attackers mostly targeted organizations in the finance and payment industries. “An unknown attacker was taking advantage of a silent yet effective attack vector: the compromised update mechanism or software supply chain for a third-party […]

Operation WilySupply malicious update

Microsoft has recently uncovered an attack dubbed Operation WilySupply that leveraged the update mechanism of an unnamed software editing tool to compromise targets.

The attackers mostly targeted organizations in the finance and payment industries.

“An unknown attacker was taking advantage of a silent yet effective attack vector: the compromised update mechanism or software supply chain for a third-party editing tool.” wrote Elia Florio, senior security software engineer, with Windows Defender ATP Research Team. “The software vendor that develops the editing tool was unaware of the issue. In fact, while their software supply chain served as a channel for attacking other organizations, they themselves were also under attack.”

Microsoft confirmed that attackers were financially motivated and conducted surgical attacks, but did not provide data on the number of targets.

“We believe that the activity group behind Operation WilySupply is motivated by financial gain. They compromise third-party software packages delivered through updaters and other channels to reach victims who are mostly in the finance and payment industries.” added Florio.

Experts at Microsoft discovered the insidious attack vector after a number of machines using the updater were flagged by Windows ATP.

“Windows Defender ATP initially called our attention to alerts flagging suspicious PowerShell scripts, self-deletion of executables, and other suspect activities,” added Florio.

The analysis of the Temp Folder on one of the infected systems revealed the legitimate third-party updater running as service, anyway, the updater also downloaded an unsigned, low-prevalence executable just before the malicious activity was observed.

“The downloaded executable turned out to be a malicious binary that launched PowerShell scripts bundled with the Meterpreter reverse shell, which granted the remote attacker silent control. The binary is detected by Microsoft as Rivit.”

Operation WilySupply malicious update

Attackers used the Meterpreter to power in-memory or fileless attacks through in-memory DLL injections.

This isn’t the first time that hackers exploit software remote update channel of the supply chain as an attack vector.

Experts at Microsoft confirmed that the technique was observed in the past in cyber attacks against high-profile targets.

“This generic technique of targeting self-updating software and their infrastructure has played a part in a series of high-profile attacks, such as unrelated incidents targeting Altair Technologies’ EvLog update process, the auto-update mechanism for South Korean software SimDisk, and the update server used by ESTsoft’s ALZip compression application.” continues the post.

Back to the present, experts observed recon activities, including machine enumeration, using standard commands, such as NET, IPCONFIG, NETSTAT, NLTEST, and WHOAMI. Hackers also used common tools like Mimikatz and Kerberoast to dump hashes and lateral movement leveraging the Windows Management Instrumentation (WMI).

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –  Operation WilySupply, hacking)

[adrotate banner=”13″]