Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Case Study on supply chain attack-how an rce in jenkins leads to data breaches and whole company compromise
1. Case Study on Supply Chain Attack
How an RCE in Jenkins leads to Data Breaches & Whole Company Compromise
Adam Jordan @_adamyordan
IDSECCONF 2020
2. IDSECCONF 2020
Agenda
1. Background
Data breaches scene in south-east asia
2. The Case Study
Analysis from attacker's perspective
3. Conclusion
Lessons learned and remediation technique
3. IDSECCONF 2020
whoami
Adam Jordan
Head of Group Security R&D at Sea, Singapore
Alumni Fasilkom Universitas Indonesia
Played lots of CTFs
Security research and bug bounty
7. IDSECCONF 2020
Data Breaches in South East Asia - 2019 & 2020
Filtered by service availability in Indonesia
2019
March Bukalapak 13M customer data leaked
August Grab 21k drivers & passengers data leaked
2020
May Tokopedia 91M customers data leaked
Bhinneka 1.2M customer data leaked
October Cermati 2.9M customer data leaked
Lazada Redmart 1.1M customer accounts leaked
8. IDSECCONF 2020
The Cause?
From official statements: most data are leaked from separated
internal system, not from their main database.
9. IDSECCONF 2020
The Point to Take
While many companies invested a lot in the security
of their external customer-facing products,
many are still not paying enough attention to the
security of their internal components.
10. IDSECCONF 2020
DevSecOps and SDLC in modern software engineering
● Software Engineering prioritizes speed
○ Use Continuous Integration for automation (Jenkins)
● DevSecOps is all about integrating security in all steps
within software development lifecycle (SDLC).
○ Developer writing codes
○ Codes committed to Repository
○ Codes build pipeline
○ Codes deployed to Production server
11. IDSECCONF 2020
The supply chain in Software Development Lifecycle
Developers
write Codes
Codes
committed
to Repo
Codes test
& build
Codes
deployed to
Production
Automated with CI/CD Pipeline
12. IDSECCONF 2020
DevSecOps, all about integrating security in all steps within SDLC
Developers
write Codes
Codes
committed
to Repo
Codes test
& build
Codes
deployed to
Production
Automated with CI/CD Pipeline
13. IDSECCONF 2020
Jenkins vuln stats
Jenkins are affected by many Vulnerabilities,
including RCE in recent years.
source: cvedetails.com
14. IDSECCONF 2020
The supply chain attack
Developers
write Codes
Codes
committed
to Repo
Codes test
& build
Codes
deployed to
Production
Automated with CI/CD Pipeline
15. IDSECCONF 2020
The supply chain attack
Developers
write Codes
Codes
committed
to Repo
Codes test
& build
Codes
deployed to
Production
Automated with CI/CD Pipeline
28. IDSECCONF 2020
Post Exploitation
● Collateral Movement
Spread access to other servers using ssh keys stored in Jenkins
● Steal Source code
Using Jenkins access to code repository
● Defacements
Tamper the products delivered to the customers, using access to source code, git
pipeline, and access to production servers.
● Dump Database
Via collateral movements to production servers.
35. IDSECCONF 2020
1. Have a good insight of your security threat landscape
2. Update all components regularly
3. Proper monitoring to all servers owned, e.g. use SIEM
4. Proper credential management
Remediation
36. IDSECCONF 2020
Lessons Learned and Conclusion
● As a CI/CD platform, compromised Jenkins may lead to
many collateral damage.
○ Supply chain attack, data breaches, source code leak
● Re-emphasize the importance of securing internal
components.
○ Companies and cybersecurity teams need to be aware that internal
components are also threat vectors to be considered.
37. IDSECCONF 2020
This presentation is only a high-level overview, and is very limited
(because of time and media constraints).
I personally encourage more security practitioners from Indonesia to
dive deeper into technical security research.
38. IDSECCONF 2020
Thank You
hacking is not all about compromising a system. It's more about how to find a way from point A to point B using
previously unconsidered method.
Contact me
twitter: @_adamyordan
linkedin: @adamyordan