Alert - Supply chain compromise impacting Comm100 Live Chat software - Update 1

Number: AL22-012
Date: 2 October 2022
Updated: 13 October 2022

Audience

This Alert is intended for IT professionals and managers of notified organizations.

Purpose

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

Details

On 30 September 2022 CrowdStrike published a blog detailing a new supply chain compromise impacting the Comm100 Network Corporation Footnote 1. The report describes that a highly competent threat actor conducted a supply chain compromise which resulted in a trojanized installer of the Comm100 Live Chat application being used to distribute malware. The installer was signed on 26 September 2022 using a valid Comm100 Network Corporation certificate.

The installer was last reported as being infected and accessible for download on 29 September 2022. Comm100 has recently published a clean installer (10.0.9).

The Cyber Centre has received reports of active compromise where the trojanized application has been found to be installed and in use.

Update 1

On 6 October 2022, Comm100 issued a press release Footnote 3 detailing the security incident affecting their Agent Console Windows Desktop App. Included was specific guidance Footnote 4 for removing the trojan from the Comm100 Agent Console Windows Desktop App version 10.0.8.

The Cyber Centre encourages users and administrators to review these vendor pages and to apply the provided remediations in addition to following the guidance in the recommended actions below.

Recommended actions

At this time, only two versions have been reported as containing the malicious payload:

  • 10.0.72 with SHA256 Hash 6f0fae95f5637710d1464b42ba49f9533443181262f78805d3ff13bea3b8fd45
    • Crowdstrike reports that they are aware that this file contains the same backdoor however they have not observed it in the wild.
  • 10.0.8 with SHA256 Hash ac5c0823d623a7999f0db345611084e0a494770c3d6dd5feeba4199deee82b86
    • Crowdstrike reports this file is an Electron application that contains a JavaScript (JS) backdoor within the file main.js of the embedded Asar archive.

Organizations are encouraged to identify and isolate any systems having deployed either of these versions. Crowdstrike has also published several Indicators of Compromise (IOCs) to aid network defenders in the detection of malicious activity. Footnote 1

The Cyber Centre wishes to highlight that mitigation efforts resulting from the compromise of systems by competent threat actors may require more than simply mitigating individual issues, systems, servers. In cases such as these, based on the perceived sophistication of the threat actor involved, organizations should consider additional mitigative efforts besides simply the removal or updating of the product. The Cyber Centre recommends affected customers review the Cyber Centre joint cybersecurity advisory on technical approaches to uncovering and remediating malicious activity Footnote 2.

Should activity matching the content of this Alert be discovered, recipients are encouraged to report via the My Cyber Portal, contact the Cyber Centre by email (contact@cyber.gc.ca), or by telephone (1-833-CYBER-88 or 1-833-292-3788).

Date modified: