As a part of dedicated supply chain attack, the Canadian headquartered communications technology provider Comm100 was recently hijacked to disseminate malware. The incident was first reported by Texas-based US software and cybersecurity company CrowdStrike.
Threat intelligence experts for the firm detailed how the targeted attack focused its sights on Comm100, which has established a name for itself providing chat messaging services for use on social media platforms and enterprise websites. CrowdStrike’s team uncovered that the strategy employed by the yet unconfirmed assailant appears to echo the insidious supply chain mechanism that made headlines when it was used widely in the SolarWinds attacks back in 2020. The disruptive incident from two years ago saw a popular software provider singled out as a way to gain a foothold on the systems of multiple victims.
Malicious software unearthed
The recent abuse of Comm100’s products and services involved an insidious piece of trojan horse malware being delivered via a dedicated installer for the chat provider’s Windows Desktop agent software, readily available on the company’s official website. According to researchers at CrowdStrike, the software employed a legitimate Comm100 certificate bearing the date 26 September 2022, which remained accessible until September 29.
Threat analysts at CrowdStrike found that the malicious software embedded within the installer had been surreptitiously connecting to a remote command-and-control (C2) server, to create a backdoor into any infected systems that the threat operators then sought to compromise by installing additional pieces of malicious software from their foothold. While backdoors are sometimes purposefully included in software by developers to assist users who have lost access to their systems, in this case malware was used to gain and maintain persistent access.
Identifying threat operators involved in the attack
While leads at Comm100 were not immediately forthcoming in requests for further information regarding the recent incident, the chat provider has acted, releasing a revised version of the software installer, available via its website.
At present, there is no accurate picture of how many people may have inadvertently downloaded the malicious data file. However, according to Comm100 and information on its official site, it currently has over 15,000 customers using its technology based in 51 different countries.
Researchers at CrowdStrike have been unable to confirm which attack group was behind the incident. However, the cybersecurity firm has reported that the threat operators involved are likely to based in China. CrowdStrike states moderate confidence in this assertion, which is based on electronic comments made using Chinese language being present within the malicious software. Additionally, servers being used to host elements of the attack use the Alibaba infrastructure and technical elements that have been previously seen employed by Beijing threat operators when targeting gambling entities based online in Southeast and eastern parts of Asia.
With many enterprises now using online chat facilities for both internal and external interactions, often sharing a wealth of private data, it is understandable that like email, this communication channel had now become a ripe target for threat actors. As a result, it is imperative that protective protocols are put in place, like the use of data encryption.