What happens when the websites we visit and the companies we depend on to provide us with information, are compromised? Supply chain attacks go to the root of information we depend on rather than attack us directly.
A recent attack on the Asus infrastructure paints the exact scenario for supply chain attacks. Attackers compromised an Asus update server to push a malicious backdoor onto numerous customers. The attackers’ aim was to target 600 specific machines however the malicious code was eventually delivered to many more machines.
The malicious code was signed with a compromised but valid Asus certificate which makes detecting this type of attack very difficult. And because the client implicitly trusts a certificate signed by Asus, it will accept the malicious code download.
So what can one do about supply chain attacks? Beyond being very careful about the sites you visit and where you download from, there’s not a whole lot you can do. When even mainstream and trusted sites can compromised, we’re all in a grey zone.