3. → Past/Present/Future of Software Supply Chain attacks
→ A look at recent Software Supply Chain incidents discovered in
2018 by Windows Defender ATP Research team
→ New trends and variations in Software Supply Chain attacks
WHAT THIS SESSION IS ABOUT
4. SOFTWARE SUPPLY CHAIN INCIDENTS
(<2017)
Source: https://www.rsaconference.com/events/us18/agenda/sessions/10149-the-unexpected-attack-vector-software-updaters
1
0
2
4
2
4
7
2011 2012 2013 2014 2015 2016 2017
Software Supply Chain incidents on Windows and Mac systems
5. SOFTWARE SUPPLY CHAIN INCIDENTS
(<2017)
Period Software Affected Incident
Jul 2011 ESTsoft ALZip “SK Communications” data breach in South Korea (src: Command Five Pty)
Jun 2013 SimDisk, Songsari Incidents affecting Government and News website in South Korea (src: TrendMicro)
Jun 2013
Apr 2014
Three <undisclosed> ICS
Vendors
(Industrial Control System)
“DragonFly” campaign targeting energy sector and ICS industry (src: Symantec)
Jan 2014 GOM Player Incident at Monju reactor facility in Japan (src: Contextis)
Jan 2015 League of Legends (LoL)
Path of Exile (PoE)
PlugX malware found in two popular videogames in Asia (src: TrendMicro)
Apr 2015 EvLog 3.0 (EventID) Operation “Kingslayer” targeting popular sysadmin software in Fortune500 (src: RSA)
Oct 2016
Mar 2017
Ask Partner Network (APN) ASK distribution network compromised to deliver malware (src: CarbonBlack)
Nov 2016 <undisclosed> ATM software ATM software installation package compromised with malicious script (src: Microsoft)
May 2017 <undisclosed> Text Editor Operation “WilySupply” targeting financial sector and IT companies (src: Microsoft)
Jun 2017 M.e. Doc Popular tax software used as distribution vector for PETYA (src: Kaspersky & Microsoft)
Jul 2017 NetSarang XShell Operation “ShadowPad”: compromised server tools for devs/sysadmins (src: Kaspersky)
Sep 2017 CCleaner Popular freeware tool backdoored to compromise IT companies (src: Cisco Talos & Morphisec)
11. POISONED MEDIAGET INCIDENT
→ In March, a popular torrent application
(MediaGet) started to distribute a
backdoored update through the regular
update mechanism for unknown reasons
→ The backdoored binary was also signed,
but by an unrelated software developer
company in Mexico
→ This campaign ended up installing Dofoil
trojan and a Coin Miner automatically on
thousands of machines using MediaGet
update
→ Attackers had probably access to source
and building infrastructure of MediaGet in
order to rebuild a trojanized version
Source: https://cloudblogs.microsoft.com/microsoftsecure/2018/03/13/poisoned-peer-to-peer-app-kicked-off-dofoil-coin-miner-outbreak/
12. POISONED MEDIAGET INCIDENT
→ Signature validation is bypassed using just another
cert (stolen from another dev company)
→ New recompiled MediaGet build includes a special
“RUN” command
17. ATTACK INCEPTION:
SUPPLY CHAIN OF SUPPLY CHAIN
→ Between January and March, Windows
Defender ATP detected certain machines
compromised by the same type of
CoinMiner
→ Hunting down the root cause of these
unrelated incidents, a common MSI font
package was found to be the installation
vector of the CoinMiner
→ The MSI package was downloaded and
installed by a legitimate PDF editor
application
→ The PDF editor software company was
unaware that the MSI package, produced
by another vendor, was compromised
Source: https://cloudblogs.microsoft.com/microsoftsecure/2018/07/26/attack-inception-compromised-supply-chain-within-a-supply-chain-poses-new-risks/
20. “9002 RAT” CASE
→ “The threat actors compromised the
update server of a remote support
solutions provider to deliver a remote
access tool called 9002 RAT to their
targets of interest through the update
process.”
→ “The code-signing certificate from the
remote support solutions provider is
stolen. It’s possible that the certificate was
stolen as early as April 2018”
→ “Malicious update files are prepared,
signed with the stolen certificate, and
uploaded to the attacker’s server
(207[.]148[.]94[.]157).”
Source: https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/
21. JUST A PROBLEM OF TRADITIONAL
SOFTWARE (COMPILED BINARIES)?
22. TRUST COMPLEXITIES IN CLOUD WORLD
Enterprise
Org
Hardware and
Software
Suppliers
Open Source
Software
Suppliers
Cloud Services
and
Infrastructure
Suppliers
Vendors and
Acquisitions
28. COMPROMISED DOCKER IMAGES
ON DOCKER HUB (JUN, 2018)
→ A malicious Docker Hub account
uploaded 14 Docker images with a
hidden CoinMiner backdoor
→ The backdoored Docker images were
downloaded almost 5M times by
innocent administrators and used
→ The malicious script hidden in the
packages may continue to run on cloud
servers even after users deleted the
Docker images
→ Attacker operating almost for 1 year
before any action
Source: [1] https://www.fortinet.com/blog/threat-research/yet-another-crypto-mining-botnet.html
[2] https://kromtech.com/blog/security-center/cryptojacking-invades-cloud-how-modern-containerization-trend-is-exploited-by-attackers
30. CONCLUSIONS
→ Software Supply Chain are still trending in 2018
→ High-degree of variations across cloud perimeter, not just binary code
→ No longer a technique just for nation-state attackers (cybercriminals and coinminers joining the club)
→ “Code Execution” for cloud attackers is a broader concept; attacks may arrive from unexpected entry
vectors
→ DevOps accounts and machines are the weakest link
→ Well-defined trust models for software binaries are not yet replicated for code in the cloud, open source,
web libraries, containers:
→ e.g. New business models emerge: https://nodesource.com/products/certified-modules
→ Detection of Software Supply Chain across the entire spectrum is still difficult; current detections are
happening post-breach (EDR & DFIR)