In a significant cybersecurity breach, government, scientific, manufacturing, and retail sectors have been impacted by a supply chain attack involving the Daemon Tools software, as reported by Kaspersky. The attack is characterized by a sophisticated backdoor, targeting several key organizations.
Details of the Attack
The attackers, identified as Chinese-speaking, inserted harmful code into various versions of Daemon Tools, which is downloadable from the official website. Specifically, versions between 12.5.0.2421 and 12.5.0.2434, released from April 8 onward, have been compromised. AVB Disc Soft, the software’s developer, has been informed of this breach.
The compromise involved three specific binaries within the Daemon Tools software: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe, all of which were signed with AVB Disc Soft’s certificates. According to Kaspersky, launching any of these binaries activates a backdoor embedded in the startup code that initializes the CRT environment.
Mechanism and Impact
The backdoor was observed communicating with a typosquatting domain, registered on March 27, to execute shell commands and retrieve additional payloads. This mechanism was employed by the attackers to deploy an information collector across thousands of systems in over 100 countries, with significant impacts noted in Brazil, China, France, Germany, Italy, Russia, Spain, and Turkey. Approximately 10% of the impacted systems belong to various business entities.
Utilizing the data gathered, the attackers targeted systems they deemed valuable, infecting them with a second, minimalistic backdoor. This targeted approach was evident as only a select few systems from government, scientific, manufacturing, and retail sectors in Belarus, Russia, and Thailand were infected, suggesting a deliberate attack strategy.
Broader Implications and Response
In a notable instance, this backdoor enabled the deployment of the QUIC RAT malware against an educational institution in Russia. Kaspersky highlighted that the limited deployment of the backdoor signifies a targeted attack, although the attackers’ ultimate objectives, whether cyberespionage or pursuing large-scale operations, remain ambiguous.
The attack underscores the critical vulnerabilities present in software supply chains, urging organizations worldwide to reassess their security protocols. As the situation unfolds, cybersecurity experts continue to monitor the attack’s progression and its potential repercussions on global information security.
Related incidents such as the Mini Shai-Hulud Attack on SAP and other supply chain breaches emphasize the growing challenges faced by security teams in safeguarding against such threats.
