Members of the hacking group “Apt41” were charged by the U.S. Department of Justice for hacking more than 100 victims globally with one of its members running AV vendor Anvisoft.
We all naturally assume that our antivirus vendors are the good guys. But this news of members of APT41 being indicted, according to a news release from the U.S. DoJ, highlights that if you’re looking at using a vendor that is not one of the major established players, you might be playing with fire.
The attacks included “supply chain attacks” where legitimate software providers were compromised and their code modified to facilitate further intrusions against the software providers’ customers.
One of the members charged, Tan DaiLin, was the subject of a 2012 KrebsOnSecurity investigation about his ties to whitelisted AV vendor Anvisoft. Despite this being brought to light, DaiLin and his cohorts continued for 7 years until being initial charged in August of 2019 and then again in 2020.
The Department of Justice release makes no mention of specific involvement of the AV software, but given APT41’s use of supply chain attacks, it makes sense that they would put the same code into Anvisoft’s product to facilitate access to customer networks.
The bottom line here is:
- Stick with known AV players and not a “free download” from the web. You’ll end up paying for it dearly if you do
- Same goes for point solutions from less-than-well-known vendors. APT41 compromised plenty of smaller software titles to gain their access.
- The bad guys are working tirelessly to gain access to and control over your network. Have a layered security strategy in place to detect abnormally-behaving software on your endpoints.
- As always, consider the use of Security Awareness Training as a means of stopping phishing attacks intent on infecting or encrypting your network.