Malware found in drivers for one of Amazon’s most popular military ID-card readers

Any security measure is only as effective as the systems and culture set up to support it—just see this recent report from KrebsOnSecurity’s Brian Krebs showing how defense and military smart-ID systems could be undermined by employees seeking out unsafe third-party devices.

The Common Access Card (CAC) is an ubiquitous smart card used by military personnel as well as civilian Defense Department employees and some contractors, credentialing them not only into restricted physical spaces, but also sensitive online systems. The potential compromise of these credentials is, therefore, a big deal. Unfortunately, those who need them often aren’t equipped by their employers with card readers necessary to log in remotely, or even told which third-party devices they can buy themselves are safe.

According to KrebsOnSecurity, an anonymous tipster named “Mark,” who works in IT for a major defense contractor, sought to use his Personal Identity Verification card (PIV, a CAC equivalent for civilian employees) to work from home. Mark purchased a $15 “DOD Military” CAC reader manufactured by a company called Saicoo on Amazon, where it had close to five stars from over 11,700 reviews. The issue came when he checked a zip archive containing Saicoo’s drivers against file-scanning service VirusTotal, which  flagged the file as suspicious.

VirusTotal scans showed that some 45 different security tools warned malware was inside the zip, Krebs wrote–probably a dangerous Trojan horse named Ramnit. CERT/CC vulnerability analyst Will Dormann tweeted the issue appeared not to be the driver itself, but associated HTML files infected with Windows-specific VBScript dropper code. Even worse: reached for comment by Krebs, Saicoo claimed no virus was present and to “please just ignore [the warning] and continue the installation steps.”

Stewart Scott, assistant director of the Atlantic Council’s Cyber Statecraft Initiative and co-author of studies of software supply-chain attacks, told IT Brew it seemed likely the attack intentionally targeted defense workers. However, it could also be indicative of fishing expedition-style efforts by cybercriminals to infect whatever insecure drivers they stumble across, he said.

“As an attacker, if I know DoD, people are relying on this compromisable source of software—boom, we’re gonna go after it,” Scott said. “But also, if you find something you can compromise in that supply chain, and you just want to see where it’ll take you, [that’s] also a great reason to target it.”

“I think anything where you basically leverage someone needing to trust something in the supply chain is going to be effective, but getting actual metrics is always gonna be really hard when there’s incentives not to report externally that you’ve gotten compromised,” Scott added.

Lynx Security founder Corben Leo, a security researcher who was one of three finalists in a 2020 DoD bug-bounty contest, warned that compromised CAC credentials could serve as an initial access vector into other defense networks.

“They could probably use that to log into military systems and then find more attack vectors there,” Leo said. “So they could pivot to military systems a lot easier than they would have without any of that initial access...Although it might just be the contractor’s computer initially hacked, [it] arguably can lead to much worse things.”

As Krebs noted, the closest equivalent to a DoD-approved list of CAC card readers that exists is an Army-recommended website called MilitaryCAC.com. It’s run by a retired Army veteran, Michael Danberry, which sort of means DoD has outsourced a key part of its smart-card security to a random volunteer. Scott said that this is exactly the kind of situation that his research has identified as leading to supply-chain attacks.

“The kind of clustering of attacks we see in our data set points to the phenomenon of when you look for a weak link, you’re not just looking for a weak technology, but a mismatch between resources relying on something and resources maintaining it,” Scott said. “You want to make it as convenient as possible to use the approved things, and to make it as easy as possible to figure out, organizationally, when they aren’t being used.”—TM