CERT-FR recently published a threat and incident report concerning the integration of uncontrolled software on an IS and the security problems they may pose.
Through various real examples, the CERT-FR shows us cases in which uncontrolled software ends up being vectors of infection of an information system. The main scenarios taken as an example are the case of software used and imposed within the framework of international companies wishing to operate in China. The software offered by Chinese suppliers or customers in order to pay taxes in China actually contained malicious code making them usable as backdoors (backdoor), thus becoming true vectors of infection.
The document proposed by ANSSI outlines in particular the cases of GoldenSpy in 2020, a backdoor integrated into the Aisino Intelligent Tax VAT management software:
“Two hours after installation VAT management software, codes are downloaded and then executed silently. They have mechanisms for persistencecommunicate at a random frequency with a remote server and allowexecute arbitrary code with administrator level privileges system without user interaction. “.
II. ANSSI’s recommendations:
Following these various recent examples, recommendations are proposed in order to limit the deployment of this type of backdoor or the spread of an infection within the information system by this means. These recommendations are divided into different themes:
Recommendations regarding l’infrastructure :
- Install the software in an isolated area
- Filter the network flows “from” and “to” the isolated area to the exact operational need
- Filter flows with firewall equipment separate from the machine on which the software is installed
- Use a dedicated cloud account to isolate the area of least trust
- Apply the principle of least privilege on all services and equipment
Recommendations for software access :
- Disable clipboard sharing and disk redirection
- Configure a dedicated and isolated file share
Recommendations regarding maintenance in safe conditions :
- Carry out maintenance in safe conditions from the Internet
- Turn off the service when not in use
Recommendations regarding detection :
- Set up a dedicated log collector in the isolated area
- Enable and configure logging
I therefore strongly advise you to read this document, especially if you work in companies operating internationally: Illustration of the problems related to the integration of uncontrolled software. Reading it will shed more light on this subject and allow you to have the details of the recommendations proposed.
Do not hesitate to react and discuss this subject in the comments or on our Discord server: https://discord.com/invite/KMWN7TUQfm
#CERTFR #ANSSI #alert #uncontrolled #software #risks