An insidious attack trend has been catching my eye lately. It’s called the software supply chain attack.
The scheme goes like this: Hackers compromise a trusted software vendor, subvert its products with their own malicious versions, and then use the tainted formulation to infect customers — thereby bypassing internal security controls and easily spreading malware far and wide. Customers, careful to keep their software up to date, don’t think twice about downloading the latest iterations. That’s good digital hygiene, after all.
At least that’s what we’ve been trained to think. Cisco researchers exposed one of these sneaky incursions earlier this week. The hacking operation sabotaged CCleaner, a popular piece of computer cleaning software distributed by Avast, a Czech antivirus firm. (Morphisec, an Israeli cybersecurity startup, had discovered the compromise too.)
Here’s what happened: In August, some unknown hacking group inserted a backdoor into the CCleaner software, which was then dutifully installed on more than 700,000 machines. With that foothold, the attackers then attempted to drill down deeper into the networks of at least 18 big tech company targets, including Google, Intel, Microsoft, Samsung, HTC, and Cisco. Presumably, the intruders sought trade secrets.
This is only the most recent example of such an attack. Earlier this year hackers compromised MeDoc, a piece of accounting software developed by a Ukrainian tech firm, in order to spread a destructive strain of ransomware, dubbed NotPetya, through its update mechanism. The attack crippled operations at big companies, ranging from Danish shipping giant Maersk to U.S. pharma company Merck. Similarly, Kaspersky Labs, the lately besieged Russian cybersecurity firm, found a backdoor in server management software from the U.S. and South Korean tech firm NetSarang that infected hundreds of banks and other companies over the summer.
These supply-chain attacks fly in the face of commonly accepted principles of computer security — i.e., patch your systems early and often — and they undermine everyone’s trust in the software ecosystem. As the Cisco researchers note in their analysis, a product from an established vendor “rarely receives the same level of scrutiny” as one from an untrusted source. And as they warn in a follow-up post, these types of attacks now “seem to be increasing in velocity and complexity.”
The proliferation is cause for alarm. It’s hard to see how the situation will improve until everyone — even small-fry software vendors — takes responsibility and ups their digital defenses.
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach me via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.
SEC hacked. The top market regulator in the U.S. just disclosed a 2016 data breach that may have allowed hackers to obtain and trade on inside information. The SEC’s financial filing database, called Edgar, had a vulnerability that the agency said it fixed “promptly,” but not before attackers used it to gain access to sensitive corporate information. The breach has officials worried about the security of other government computer systems.
Equifax’s ongoing fallout. The state of Massachusetts is suing the big-three credit bureau for failing to safeguard more than 140 million people’s personal information. Officials expect the Consumer Financial Protection Bureau, a federal watchdog agency created in the wake of the 2008 financial crisis, also to punish the company. (By the way, Equifax’s customer support team has been sending prospective victims to a fake phishing website.)
Facebook to clean up act. Facebook said it would share more than 3,000 Russia-linked political ads with congressional committees that are investigating Moscow’s interference in the 2016 presidential election. CEO Mark Zuckerberg promised to improve the platform to prevent its technology from being abused in the future. Marc Rotenburg, president of the Electronic Privacy Information Center, argues in an op-ed for Fortune that Facebook should operate under the same laws that govern other media companies that sell political ads.
Nest flies the nest. Alphabet’s connected home unit Nest debuted the Cam IQ Camera Outdoor, a rugged security camera that can recognize visitors’ faces. The product, which costs $350, joins Nest’s indoor camera as another sentinel to keep watch over customers’ living quarters. Nest also introduced a connected doorbell that comes with a mini app-linked video camera.
Microsoft to add hack recovery. Microsoft is beefing up Windows 10 for businesses with tech that will automate certain tasks involved in recovering from security breaches. The addition should give companies a leg up in responding to digital intrusions, freeing security teams to focus on higher level strategy. Rob Lefferts, head of security for Windows, previewed the news exclusively with Fortune this week.
Bitcoin battered by billionaires. Ray Dalio, the world’s most successful hedge funder (whose new book Fortune recently excerpted in the magazine), voiced his skepticism about so-called digital gold, calling the mania for it a “bubble.” JPMorgan Chase CEO Jamie Dimon echoed this view, reiterating his longtime distrust in a Friday interview in which he said the craze for cryptocurrencies will “end badly” (customer orders notwithstanding). In the face of the trash talk, Bitcoin’s price briefly shot above $4,000, but has since fallen by about $500 (as it has many times before).
North Korean dictator Kim Jong-un may have an impressive vocabulary (he recently called President Donald Trump a “dotard“), but his regime’s record of paying off parking tickets leaves much to be desired.
Share today’s Data Sheet with a friend:
Looking for previous Data Sheets? Click here.
—An excerpt from Fortune senior writer Michal Lev-Ram’s latest feature detailing the digital transformation of toymaker Mattel under the reign of ex-Googler Margo Georgiadis. The new chief is interested in collecting more voice data from its playthings, raising privacy and security concerns.
Mark Zuckerberg Outlines Facebook’s Plan to Fight Russian Election Hacking, by John Patrick Pullen
Is the New Apple iPhone Designed for Cyber-Safety?, by The Conversation’s Arun Vishwanath
Inside RT, Russia’s Kremlin-Controlled Propaganda Network, by David Z. Morris
California Planned on Strengthening Internet Privacy. It Didn’t., by Chris Morris
OkCupid and SparkNotes Founders Take on Slack With Encrypted Chat, by Robert Hackett
Cryptocurrencies May Be a Dream Come True for Cyber Extortionists, by The Conversation’s Nir Kshetri
Whoops: ISIS Backers Reveal Location on Instagram, by Jeff John Roberts
ONE MORE THING
How to write about the future. When crafting a narrative about centuries to come, perhaps the best place to start is not with what will change, but what remains the same. That was sci-fi author Annalee Newitz’s approach in laying out her new novel Autonomous, set in 2144. By looking into the past, Newitz gleaned human universals. “We’re still arguing over evolution; we still ride in trains and take photographs; we still have radical youth rebellions focused on free love, weird technology, and vegetarianism,” she says. Her vision of the future has differences, of course. In it, nation states have fallen and AI has risen up, for instance.