Websites requiring security software download opened door to supply chain attack

Websites requiring security software download opened door to supply chain attack

The Seoul skyline in South Korea (Flickr – Laurie Nevay, CC BY-SA 2.0, via Wikimedia Commons).

A newly reported supply chain attack involved malicious hackers compromising financial and government websites so they would deliver malware to unsuspecting visitors. The tactic demonstrates the risks involved with requiring users to download software in order use your site properly.

In a blog post this week, researchers from ESET accuse the North Korean APT group known as Lazarus Group or Hidden Cobra of perpetrating an attack against certain South Korean websites that, ironically enough, require visitors to install specialized security software on their devices before they can use the site.

This installation process is enabled via a downloadable integration installation application called Wizvera VeraPort. According to ESET, some websites are mandated to have Wizvera VeraPort installed for users so that any necessary browser plug-ins, security software or identity verification software can be automatically installed with minimal user interaction.

While Wizvera VeraPort’s own infrastructure was apparently not compromised in the attack, certain websites that support Wizvera VeraPort were sabotaged so that attackers were able to replace the regular VeraPort software bundle with malware.

Which leads to the question: Does requiring users to download software as a precursor to being able to use one’s website or online services – even if it’s security software – introduce more risk than reward?

“In general, [it] seems like a bad idea, and it does introduce risk,” said Richard Absalom, senior research analyst at the I ..