SlideShare a Scribd company logo
1 of 41
Download to read offline
SolarWinds Hacked -
find the targets
ZY WU & CK Chen
About
ZY Wu
• Threat analysts at Fox-IT intel team
• Malware analysis & threat intel
• Find me at zong-yu.wu@fox-it.com
CK Chen
• HITCON Member
• HITCON 2021 Review Board Chairman
• Researcher, focus on malware analysis, APT investigation and threat intel
Agenda
• What happened?
• Define the supply chain attack
• Impact Assessment – Finding the targets
• How special it is?
Kudos to
Danny at Fox-IT
YJ at TrendMicro
Anonymous Hamster at Exercise wheel
CrowdStrike
release SUNSPOT
investigation
report
2021.01.11
2021.01.13
CISA: bypass MFA
in cloud services
FireEye released
Remediation for
Microsoft 365
2021.01.19
2021.01.19
MalwareBytes
claim to be
hacked
Microsoft
Deep dive into
the Solorigate
second-stage
activation
2021.01.22
2021.02.18
Microsoft Internal
Solorigate
Investigation – Final
Update
Microsoft,
FireEye New
SUNSHUTTLE
Backdoor
Targeting U.S.-
Based Entity
2021.03.04
FireEye
hacked, Red
team tools
leaked
2020.12.09
2020.12.13
CISA issued
emergence
directive
WSJ, REUTERS
U.S. Treasury
and Commerce
departments
Hacked
2020.12.13-14
2020.12.15-18
Second
malware
Supernova
discovered
Microsoft,
FireEye,
GoDaddy
establish
killswitch
2020.12.17
2020.12.17
Microsoft
report
potential
victims
Microsoft
confirmed
source code
stolen
2020.12.31
2021.01.05
CISA, DNI,
NSA suspect
the actor is
Russia-based
Department
of Justice
confirmed
hacked
2021.01.06
AB
(A %verb% B)
Target Supplier Attacker
Target
Afraid of (the
insider)
Relied on Afraid of
Supplier Relied on - Afraid of
Attacker Interested in Proxy through -
Advantage of exploiting Supply Chain
• Abuse the trust between supplier and targets
• It is possible to find a weaker supplier among those
• Compromising a whole range of companies if the major supplier in a sector is
taken
Attack Against Code Dev.
Commit
->
Build (Signing)
->
Test
->
Deploy
Commit ->
SUNSPOT injects SUNBURST ->
Build (Signing)
->
Test (SUNBURST stay low)
->
Deploy
->
SUNBURST’s party time
Impact Assessment
• More likely espionage purpose, but this is tough to do impact assessment.
• In this presentation, I invite you to take a journey with me to picture targeted
industry.
Malwares on the Desk
SUNSPOT
(injector)
SUNBURST
(Beacon)
TEARDROP
(Loader)
RAINDROP
(Loader)
GoldMax
Inside SolarWinds
Running at Victims’ Env.
SiBot
GoldFinder
CobaltStrike
SUNBURST under X-Ray
• The beacon, the backdoor, installed to SolarWinds Orion Platform.
• It avoids being launched in any dev. env.
SUNBURST under X-Ray
The malware use customized FNV-1A hash algorithm to store resources:
Malware stays low under these AD
domains:
It checks antivirus driver/process/service
and analysis tool as well.
https://github.com/fireeye/sunburst_countermeasures/blob/mai
n/hashcat.potfile
swdev.local saas.swi
emea.sales dmz.local
pci.local lab.local
apac.lab dev.local
swdev.dmz lab.rio
cork.lab lab.brno
lab.na test
Solarwinds
SUNBURST was coded like a
legitimate class, for example:
Encode Process
Name in fact
Mimicking the
legitimate traffic on
the Platform
SUNBURST under X-Ray
• The beacon, the backdoor, installed to SolarWinds Orion Platform.
• It avoids being launched in any dev. env.
• The callback domain is generated by victim information on DNS protocol.
• Stage 1 – on DNS to get the HTTP sever
• Stage 2 – on HTTP for the backdoor
• There are up to 4 different types (2 encoding x 2 input), giving an example:
57tadh50ha5mr9ah6ee0o6iuir0iwu0c.appsync-api.us-east-1.avsvmcloud.com
SUNBURST Callback Protocol
Prefix Fixed Random C&C
15 else
Encoded GUID Encoded
AD domain name
06a4ea63c80ee24a scc.state.va.
-> The AD domain can be retrieved by a DNS query!
-> Reverse Engineering to decode
SUNBURST Callback Protocol
• DNS traffic, for those are not running on SSL, is not encrypted
• It is possible to gather the domains which were been queried at a certain time
by listening the network traffic from the internet backbone.
• This dataset is called Passive DNS record.
ASSOCIATED
[T+AVs]
TRUNCATED
Backdoor stopped
PASSIVE
[domain[:15],
domain[15:]]
Potential Target,
Response magic A record
Not interesting
ACTIVE
Backdoor on HTTP
[T+AVs + Active bit]
Select Target,
Response HTTP C&C server at CNAME
DGA Encoding method for PASSIVE state
DGA Encoding method for ASSOCIATED/ACTIVE state
Searching the victims (in PASSIVE mode)
57tadh50ha5mr9ah6ee0o6iuir0iwu0c.appsync-api.us-east-1.avsvmcloud.com
m1g39j9sctjtv6m0f6.appsync-api.us-east-1.avsvmcloud.com
Prefix Fixed Random C&C
15 else
Encoded GUID Encoded
AD domain name
06a4ea63c80ee24a scc.state.va.
Prefix Fixed Random C&C
15
Encoded GUID
06a4ea63c80ee24a us Add up to scc.state.va.us
DGA Encoding method for PASSIVE state
Unique entry #
PASSIVE 28,737
ASSOCIATED 7,029
ACTIVE 119
ASSOCIATED
[T+AVs]
TRUNCATED
Backdoor stopped
ACTIVE
Backdoor on HTTP
[T+AVs + Active bit]
Select Target,
Response HTTP C&C server at CNAME
DGA Encoding method for PASSIVE state
DGA Encoding method for ASSOCIATED/ACTIVE state
Searching the targets (in ACTIVE mode)
9q5jifedn8aflr4ge3nu.appsync-api.us-east-1.avsvmcloud.com
Prefix Fixed Random C&C
8 3 else
GUID Meta Running Antivirus
06a4ea63c80ee24a mode=1
active=1
timestamp=2020-05-31 12:00:00
The GUID is mapped to
scc.state.va.us
DGA Encoding method for ASSOCIATED/ACTIVE state
Searching the targets (in ACTIVE mode)
scc.state.va.us
central.pima.gov
mgt.srb.europa
fc.gov
ddsn.gov
phpds.org
central.pima.gov
Government
HQ.FIDELLA
lagnr.chevronte
xaco.net
coxnet.cox.com
Energy
ng.ds.army.mil
nsanet.local
Defense
corp.qualys.com
paloaltonetworks.com
logitech.local
wctc.msft
ggsg-us.cisco.com
cisco.com
fox.local
Tech/CyberSecurity
AB
(A %verb% B)
Target Supplier Attacker
Target
Afraid of (the
insider)
Relied on &
Afraid of
Afraid of
Supplier Relied on - Afraid of
Attacker Interested in Proxy through -
Software
Supply Chain
While better defense mechanism is
deployed, threat actor move their target
to the weakest point of supply chain
More complicated software -> more
complicated supply chain
We talk a lot about supply chain, so…
What’s the supply chain of you daily used software?
Stack
Overflow
Source
Code
Library
Code
Text
Book/Doc
Copy Code
compiler
Version
Control
Static
Library
Linker Executables
CI
Release
Site
Update
Dispatch Dynamic
library
Executables Loader Executing
In side your program, do you know where is every
component come from?
Every step here is
possible to be
compromised
Stack
Overflow
Source
Code
Library
Code
Text
Book/Doc
Copy Code
compiler
Version
Control
Static
Library
Linker Executables
CI
Release
Site
Update
Dispatch Dynamic
library
Executables Loader Executing
Stack Overflow Considered
Harmful?The Impact of
Copy&Paste on Android
Application Security(2015)
Stack
Overflow
Source
Code
Library
Code
Text
Book/Doc
Copy Code
compiler
Version
Control
Static
Library
Linker Executables
CI
Release
Site
Update
Dispatch Dynamic
library
Executables Loader Executing
Malicious event-stream
backdoor (2019)
Ruby strong_password
Backdoor (2019)
Stack
Overflow
Source
Code
Library
Code
Text
Book/Doc
Copy Code
compiler
Version
Control
Static
Library
Linker Executables
CI
Release
Site
Update
Dispatch Dynamic
library
Executables Loader Executing
XcodeGhost (2015)
Stack
Overflow
Source
Code
Library
Code
Text
Book/Doc
Copy Code
compiler
Version
Control
Static
Library
Linker Executables
CI
Release
Site
Update
Dispatch Dynamic
library
Executables Loader Executing
CCleaner Attack
(2018)
Stack
Overflow
Source
Code
Library
Code
Text
Book/Doc
Copy Code
compiler
Version
Control
Static
Library
Linker Executables
CI
Release
Site
Update
Dispatch Dynamic
library
Executables Loader Executing
Operation GG(2015)
Stack
Overflow
Source
Code
Library
Code
Text
Book/Doc
Copy Code
compiler
Version
Control
Static
Library
Linker Executables
CI
Release
Site
Update
Dispatch Dynamic
library
Executables Loader Executing
APTs Utilize Supply Chain Attacks
• While most organization gradually enhance their security, adversarial
try to compromised the weakest point of partner/supply chain first.
ASUS Shadow
Hammer(2019)
Discovered by Kaspersky
ASUS Web Storage(2019)
We discover this operation in the
same time as ESET
APTs Utilize Supply Chain Attacks
• While most organization gradually enhance their security, adversarial
try to compromised the weakest point of partner/supply chain first.
SolarWinds Supply Chain
Attack (2021)
Highlight TTPs
• Supply Chain Attack: Large number of enterprises are potential
victims
• Compromise DevOps: Keep Stealthy in Develop Environment
• Sophiscated Malware: Separate the Malware’s Execution Path
• Attacking the Cloud Service
Attacking the Cloud Service
• Lateral movement from on-premises networks to gain unauthorized
access to the victim’s Microsoft 365 environment
• Golden SAML Attack
• Modify Trusted Domains
• Hijack Azure AD Applications
• Compromise the credentials of
on-premises user accounts
that are synchronized to
Microsoft 365
Mitigation
• Threat Hunting for Malicious IoCs
• FireEye’s Red Team Tool IoCs
• SunBurst IoCs
• CISA “Advanced Persistent Threat Compromise of Government Agencies, Critical
Infrastructure, and Private Sector Organizations”
• Summary about the IoCs
• https://shorturl.at/fxKTV
Mitigation
• Mandiant Azure AD Investigator
• https://github.com/fireeye/Mandiant-Azure-AD-Investigator
• CISA “Strengthening Security Configurations to Defend Against
Attackers Targeting Cloud Services”
• https://github.com/cisagov/Sparrow
Lesson Learned
• While being compromised is hard to avoid, proactive threat hunting and
response to the incident.
• Communicate and share with security community
• Sophiscated APT attacks
• Supply Chain Attack
• Compromised DepOp Process
• Laverage cloud service attacks
• Supply chain security will still be the loophole for enterprises’ security
• Using threat intelligence, e.g. PDNS, to help us understand threat actor’s
targets
• Cloud Services become a new attack vector for LM
Q&A

More Related Content

What's hot

MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE - ATT&CKcon
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudMITRE ATT&CK
 
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...Cristian Garcia G.
 
A look at current cyberattacks in Ukraine
A look at current cyberattacks in UkraineA look at current cyberattacks in Ukraine
A look at current cyberattacks in UkraineKaspersky
 
CSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael NarezziCSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael NarezziNCCOMMS
 
CoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVCoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVThomas Roccia
 
Trisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersTrisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersDragos, Inc.
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsDFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsChristopher Gerritz
 
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server:  A Dive into Attacker InfrastructureHoney, I Stole Your C2 Server:  A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureShakacon
 
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber AttackReassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber AttackDragos, Inc.
 
Behavior-Based Defense in ICS
Behavior-Based Defense in ICSBehavior-Based Defense in ICS
Behavior-Based Defense in ICSDragos, Inc.
 
The Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityThe Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityDragos, Inc.
 
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESETMITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESETMITRE - ATT&CKcon
 
Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos, Inc.
 
TRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS MalwareTRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS MalwareThomas Roccia
 
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power PlantsUsing ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power PlantsMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
 

What's hot (20)

DFIR Training: RDP Triage
DFIR Training: RDP TriageDFIR Training: RDP Triage
DFIR Training: RDP Triage
 
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
 
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
 
Russia the threat landscape
Russia  the threat landscapeRussia  the threat landscape
Russia the threat landscape
 
A look at current cyberattacks in Ukraine
A look at current cyberattacks in UkraineA look at current cyberattacks in Ukraine
A look at current cyberattacks in Ukraine
 
CSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael NarezziCSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael Narezzi
 
CoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVCoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLV
 
Trisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersTrisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS Defenders
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
 
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsDFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
 
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server:  A Dive into Attacker InfrastructureHoney, I Stole Your C2 Server:  A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
 
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber AttackReassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
 
Behavior-Based Defense in ICS
Behavior-Based Defense in ICSBehavior-Based Defense in ICS
Behavior-Based Defense in ICS
 
The Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityThe Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial Security
 
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESETMITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
 
Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware
 
TRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS MalwareTRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS Malware
 
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power PlantsUsing ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
 

Similar to 【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】

Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)TzahiArabov
 
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdftheVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdfGabriel Mathenge
 
VMworld 2013: Security Automation Workflows with NSX
VMworld 2013: Security Automation Workflows with NSX VMworld 2013: Security Automation Workflows with NSX
VMworld 2013: Security Automation Workflows with NSX VMworld
 
Securing your Cloud Environment
Securing your Cloud EnvironmentSecuring your Cloud Environment
Securing your Cloud EnvironmentShapeBlue
 
Automating cloud security - Jonny Griffin
Automating cloud security - Jonny GriffinAutomating cloud security - Jonny Griffin
Automating cloud security - Jonny GriffinJonnathan Griffin
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2ShapeBlue
 
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Microfestival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Microfestival ICT 2016
 
Catch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkCatch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkDefCamp
 
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld
 
Tech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs WhitelistingTech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs WhitelistingInvincea, Inc.
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?Tomasz Jakubowski
 
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022Brian Vermeer
 
AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZeditsRod Soto
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryTim Mackey
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryBlack Duck by Synopsys
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
 
Armo webinar rethinking your cloud security in the shadow of the solar winds ...
Armo webinar rethinking your cloud security in the shadow of the solar winds ...Armo webinar rethinking your cloud security in the shadow of the solar winds ...
Armo webinar rethinking your cloud security in the shadow of the solar winds ...LibbySchulze
 
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligenceOrder vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligencePriyanka Aash
 
Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...
Criminal IP ASM | Threat Intelligence-based  Automated Attack Surface Managem...Criminal IP ASM | Threat Intelligence-based  Automated Attack Surface Managem...
Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...Criminal IP
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information SecuritySplunk
 

Similar to 【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】 (20)

Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)
 
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdftheVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
 
VMworld 2013: Security Automation Workflows with NSX
VMworld 2013: Security Automation Workflows with NSX VMworld 2013: Security Automation Workflows with NSX
VMworld 2013: Security Automation Workflows with NSX
 
Securing your Cloud Environment
Securing your Cloud EnvironmentSecuring your Cloud Environment
Securing your Cloud Environment
 
Automating cloud security - Jonny Griffin
Automating cloud security - Jonny GriffinAutomating cloud security - Jonny Griffin
Automating cloud security - Jonny Griffin
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Microfestival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
 
Catch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkCatch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your network
 
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
 
Tech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs WhitelistingTech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs Whitelisting
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?
 
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
 
AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZedits
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
 
Armo webinar rethinking your cloud security in the shadow of the solar winds ...
Armo webinar rethinking your cloud security in the shadow of the solar winds ...Armo webinar rethinking your cloud security in the shadow of the solar winds ...
Armo webinar rethinking your cloud security in the shadow of the solar winds ...
 
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligenceOrder vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
 
Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...
Criminal IP ASM | Threat Intelligence-based  Automated Attack Surface Managem...Criminal IP ASM | Threat Intelligence-based  Automated Attack Surface Managem...
Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 

More from Hacks in Taiwan (HITCON)

HITCON FreeTalk 2024 台灣駭客協會媒體小聚【議題二:Cyber War - 網路戰與地緣政治】
HITCON FreeTalk 2024 台灣駭客協會媒體小聚【議題二:Cyber War - 網路戰與地緣政治】HITCON FreeTalk 2024 台灣駭客協會媒體小聚【議題二:Cyber War - 網路戰與地緣政治】
HITCON FreeTalk 2024 台灣駭客協會媒體小聚【議題二:Cyber War - 網路戰與地緣政治】Hacks in Taiwan (HITCON)
 
HITCON FreeTalk 2024 台灣駭客協會媒體小聚【議題一:資安地圖 - 資安領域與趨勢介紹】
HITCON FreeTalk 2024 台灣駭客協會媒體小聚【議題一:資安地圖 - 資安領域與趨勢介紹】HITCON FreeTalk 2024 台灣駭客協會媒體小聚【議題一:資安地圖 - 資安領域與趨勢介紹】
HITCON FreeTalk 2024 台灣駭客協會媒體小聚【議題一:資安地圖 - 資安領域與趨勢介紹】Hacks in Taiwan (HITCON)
 
HITCON FreeTalk 2022 - 自己的SOC自己管-- SOC建置的心路歷程分享
HITCON FreeTalk 2022 - 自己的SOC自己管-- SOC建置的心路歷程分享HITCON FreeTalk 2022 - 自己的SOC自己管-- SOC建置的心路歷程分享
HITCON FreeTalk 2022 - 自己的SOC自己管-- SOC建置的心路歷程分享Hacks in Taiwan (HITCON)
 
HITCON FreeTalk 2022 - Zero Trust Architecture 讀書筆記
 HITCON FreeTalk 2022 - Zero Trust Architecture 讀書筆記  HITCON FreeTalk 2022 - Zero Trust Architecture 讀書筆記
HITCON FreeTalk 2022 - Zero Trust Architecture 讀書筆記 Hacks in Taiwan (HITCON)
 
HITCON FreeTalk 2022 - Defeat 0day is not as Difficult as You Think
HITCON FreeTalk 2022 - Defeat 0day is not as Difficult as You ThinkHITCON FreeTalk 2022 - Defeat 0day is not as Difficult as You Think
HITCON FreeTalk 2022 - Defeat 0day is not as Difficult as You ThinkHacks in Taiwan (HITCON)
 
【HITCON FreeTalk 2022 - 我把在網頁框架發現的密碼學漏洞變成 CTF 題了】
【HITCON FreeTalk 2022 - 我把在網頁框架發現的密碼學漏洞變成 CTF 題了】【HITCON FreeTalk 2022 - 我把在網頁框架發現的密碼學漏洞變成 CTF 題了】
【HITCON FreeTalk 2022 - 我把在網頁框架發現的密碼學漏洞變成 CTF 題了】Hacks in Taiwan (HITCON)
 
【HITCON FreeTalk 2021 - From fakespy to Guerilla: Understanding Android malw...
【HITCON FreeTalk 2021 -  From fakespy to Guerilla: Understanding Android malw...【HITCON FreeTalk 2021 -  From fakespy to Guerilla: Understanding Android malw...
【HITCON FreeTalk 2021 - From fakespy to Guerilla: Understanding Android malw...Hacks in Taiwan (HITCON)
 
【HITCON FreeTalk】HITCON 2017 下半年活動介紹
【HITCON FreeTalk】HITCON 2017 下半年活動介紹【HITCON FreeTalk】HITCON 2017 下半年活動介紹
【HITCON FreeTalk】HITCON 2017 下半年活動介紹Hacks in Taiwan (HITCON)
 
HITCON TALK 技術解析 SWIFT Network 攻擊
HITCON TALK 技術解析 SWIFT Network 攻擊 HITCON TALK 技術解析 SWIFT Network 攻擊
HITCON TALK 技術解析 SWIFT Network 攻擊 Hacks in Taiwan (HITCON)
 
HITCON TALK 台灣駭客協會年度活動簡介
HITCON TALK 台灣駭客協會年度活動簡介HITCON TALK 台灣駭客協會年度活動簡介
HITCON TALK 台灣駭客協會年度活動簡介Hacks in Taiwan (HITCON)
 
Hacker as a maker 如何利用 mtk 7688 設計出超炫的 ctf 決賽戰場燈控效果
Hacker as a maker 如何利用 mtk 7688 設計出超炫的 ctf 決賽戰場燈控效果Hacker as a maker 如何利用 mtk 7688 設計出超炫的 ctf 決賽戰場燈控效果
Hacker as a maker 如何利用 mtk 7688 設計出超炫的 ctf 決賽戰場燈控效果Hacks in Taiwan (HITCON)
 
2015 資安從業人員的寶(鬼)島求生
2015 資安從業人員的寶(鬼)島求生2015 資安從業人員的寶(鬼)島求生
2015 資安從業人員的寶(鬼)島求生Hacks in Taiwan (HITCON)
 

More from Hacks in Taiwan (HITCON) (20)

HITCON FreeTalk 2024 台灣駭客協會媒體小聚【議題二:Cyber War - 網路戰與地緣政治】
HITCON FreeTalk 2024 台灣駭客協會媒體小聚【議題二:Cyber War - 網路戰與地緣政治】HITCON FreeTalk 2024 台灣駭客協會媒體小聚【議題二:Cyber War - 網路戰與地緣政治】
HITCON FreeTalk 2024 台灣駭客協會媒體小聚【議題二:Cyber War - 網路戰與地緣政治】
 
HITCON FreeTalk 2024 台灣駭客協會媒體小聚【議題一:資安地圖 - 資安領域與趨勢介紹】
HITCON FreeTalk 2024 台灣駭客協會媒體小聚【議題一:資安地圖 - 資安領域與趨勢介紹】HITCON FreeTalk 2024 台灣駭客協會媒體小聚【議題一:資安地圖 - 資安領域與趨勢介紹】
HITCON FreeTalk 2024 台灣駭客協會媒體小聚【議題一:資安地圖 - 資安領域與趨勢介紹】
 
HITCON CISO Summit 2023 - Closing
HITCON CISO Summit 2023 - ClosingHITCON CISO Summit 2023 - Closing
HITCON CISO Summit 2023 - Closing
 
HITCON FreeTalk 2022 - 自己的SOC自己管-- SOC建置的心路歷程分享
HITCON FreeTalk 2022 - 自己的SOC自己管-- SOC建置的心路歷程分享HITCON FreeTalk 2022 - 自己的SOC自己管-- SOC建置的心路歷程分享
HITCON FreeTalk 2022 - 自己的SOC自己管-- SOC建置的心路歷程分享
 
HITCON FreeTalk 2022 - Zero Trust Architecture 讀書筆記
 HITCON FreeTalk 2022 - Zero Trust Architecture 讀書筆記  HITCON FreeTalk 2022 - Zero Trust Architecture 讀書筆記
HITCON FreeTalk 2022 - Zero Trust Architecture 讀書筆記
 
HITCON FreeTalk 2022 - Defeat 0day is not as Difficult as You Think
HITCON FreeTalk 2022 - Defeat 0day is not as Difficult as You ThinkHITCON FreeTalk 2022 - Defeat 0day is not as Difficult as You Think
HITCON FreeTalk 2022 - Defeat 0day is not as Difficult as You Think
 
【HITCON FreeTalk 2022 - 我把在網頁框架發現的密碼學漏洞變成 CTF 題了】
【HITCON FreeTalk 2022 - 我把在網頁框架發現的密碼學漏洞變成 CTF 題了】【HITCON FreeTalk 2022 - 我把在網頁框架發現的密碼學漏洞變成 CTF 題了】
【HITCON FreeTalk 2022 - 我把在網頁框架發現的密碼學漏洞變成 CTF 題了】
 
【HITCON FreeTalk 2021 - From fakespy to Guerilla: Understanding Android malw...
【HITCON FreeTalk 2021 -  From fakespy to Guerilla: Understanding Android malw...【HITCON FreeTalk 2021 -  From fakespy to Guerilla: Understanding Android malw...
【HITCON FreeTalk 2021 - From fakespy to Guerilla: Understanding Android malw...
 
【HITCON FreeTalk】Supply Chain Attack
【HITCON FreeTalk】Supply Chain Attack【HITCON FreeTalk】Supply Chain Attack
【HITCON FreeTalk】Supply Chain Attack
 
【HITCON FreeTalk】HITCON 2017 下半年活動介紹
【HITCON FreeTalk】HITCON 2017 下半年活動介紹【HITCON FreeTalk】HITCON 2017 下半年活動介紹
【HITCON FreeTalk】HITCON 2017 下半年活動介紹
 
HITCON TALK 技術解析 SWIFT Network 攻擊
HITCON TALK 技術解析 SWIFT Network 攻擊 HITCON TALK 技術解析 SWIFT Network 攻擊
HITCON TALK 技術解析 SWIFT Network 攻擊
 
HITCON TALK ATM 金融攻擊事件解析
HITCON TALK ATM 金融攻擊事件解析HITCON TALK ATM 金融攻擊事件解析
HITCON TALK ATM 金融攻擊事件解析
 
HITCON TALK 產業視野下的 InfoSec
HITCON TALK 產業視野下的 InfoSecHITCON TALK 產業視野下的 InfoSec
HITCON TALK 產業視野下的 InfoSec
 
HITCON TALK 台灣駭客協會年度活動簡介
HITCON TALK 台灣駭客協會年度活動簡介HITCON TALK 台灣駭客協會年度活動簡介
HITCON TALK 台灣駭客協會年度活動簡介
 
HITCON CTF 導覽
HITCON CTF 導覽HITCON CTF 導覽
HITCON CTF 導覽
 
Ctf hello,world!
Ctf hello,world! Ctf hello,world!
Ctf hello,world!
 
Hacker as a maker 如何利用 mtk 7688 設計出超炫的 ctf 決賽戰場燈控效果
Hacker as a maker 如何利用 mtk 7688 設計出超炫的 ctf 決賽戰場燈控效果Hacker as a maker 如何利用 mtk 7688 設計出超炫的 ctf 決賽戰場燈控效果
Hacker as a maker 如何利用 mtk 7688 設計出超炫的 ctf 決賽戰場燈控效果
 
2015 資安從業人員的寶(鬼)島求生
2015 資安從業人員的寶(鬼)島求生2015 資安從業人員的寶(鬼)島求生
2015 資安從業人員的寶(鬼)島求生
 
CTF 經驗分享
CTF 經驗分享CTF 經驗分享
CTF 經驗分享
 
台灣資安人才培育現況
台灣資安人才培育現況台灣資安人才培育現況
台灣資安人才培育現況
 

Recently uploaded

Scootsy Overview Deck - Pan City Delivery
Scootsy Overview Deck - Pan City DeliveryScootsy Overview Deck - Pan City Delivery
Scootsy Overview Deck - Pan City Deliveryrishi338139
 
Principles of Management Touchstone 4 Template APPLE INC.ppt.pptx
Principles of Management Touchstone 4 Template APPLE INC.ppt.pptxPrinciples of Management Touchstone 4 Template APPLE INC.ppt.pptx
Principles of Management Touchstone 4 Template APPLE INC.ppt.pptxvirginiagaddafi
 
Sunlight Spectacle 2024 Practical Action Launch Event 2024-04-08
Sunlight Spectacle 2024 Practical Action Launch Event 2024-04-08Sunlight Spectacle 2024 Practical Action Launch Event 2024-04-08
Sunlight Spectacle 2024 Practical Action Launch Event 2024-04-08LloydHelferty
 
Testing with Fewer Resources: Toward Adaptive Approaches for Cost-effective ...
Testing with Fewer Resources:  Toward Adaptive Approaches for Cost-effective ...Testing with Fewer Resources:  Toward Adaptive Approaches for Cost-effective ...
Testing with Fewer Resources: Toward Adaptive Approaches for Cost-effective ...Sebastiano Panichella
 
05.02 MMC - Assignment 4 - Image Attribution Lovepreet.pptx
05.02 MMC - Assignment 4 - Image Attribution Lovepreet.pptx05.02 MMC - Assignment 4 - Image Attribution Lovepreet.pptx
05.02 MMC - Assignment 4 - Image Attribution Lovepreet.pptxerickamwana1
 
Testing and Development Challenges for Complex Cyber-Physical Systems: Insigh...
Testing and Development Challenges for Complex Cyber-Physical Systems: Insigh...Testing and Development Challenges for Complex Cyber-Physical Systems: Insigh...
Testing and Development Challenges for Complex Cyber-Physical Systems: Insigh...Sebastiano Panichella
 
Basic overview of nerve conduction studies
Basic overview of nerve conduction studiesBasic overview of nerve conduction studies
Basic overview of nerve conduction studiesDrAbdulAli1
 
Understanding Post Production changes (PPC) in Clinical Data Management (CDM)...
Understanding Post Production changes (PPC) in Clinical Data Management (CDM)...Understanding Post Production changes (PPC) in Clinical Data Management (CDM)...
Understanding Post Production changes (PPC) in Clinical Data Management (CDM)...soumyapottola
 
Don't Miss Out: Strategies for Making the Most of the Ethena DigitalOpportunity
Don't Miss Out: Strategies for Making the Most of the Ethena DigitalOpportunityDon't Miss Out: Strategies for Making the Most of the Ethena DigitalOpportunity
Don't Miss Out: Strategies for Making the Most of the Ethena DigitalOpportunityApp Ethena
 
GESCO SE Press and Analyst Conference on Financial Results 2024
GESCO SE Press and Analyst Conference on Financial Results 2024GESCO SE Press and Analyst Conference on Financial Results 2024
GESCO SE Press and Analyst Conference on Financial Results 2024GESCO SE
 
Personal Branding Lecture for Advanced Digital & Social Media Strategy at UCL...
Personal Branding Lecture for Advanced Digital & Social Media Strategy at UCL...Personal Branding Lecture for Advanced Digital & Social Media Strategy at UCL...
Personal Branding Lecture for Advanced Digital & Social Media Strategy at UCL...Valters Lauzums
 

Recently uploaded (11)

Scootsy Overview Deck - Pan City Delivery
Scootsy Overview Deck - Pan City DeliveryScootsy Overview Deck - Pan City Delivery
Scootsy Overview Deck - Pan City Delivery
 
Principles of Management Touchstone 4 Template APPLE INC.ppt.pptx
Principles of Management Touchstone 4 Template APPLE INC.ppt.pptxPrinciples of Management Touchstone 4 Template APPLE INC.ppt.pptx
Principles of Management Touchstone 4 Template APPLE INC.ppt.pptx
 
Sunlight Spectacle 2024 Practical Action Launch Event 2024-04-08
Sunlight Spectacle 2024 Practical Action Launch Event 2024-04-08Sunlight Spectacle 2024 Practical Action Launch Event 2024-04-08
Sunlight Spectacle 2024 Practical Action Launch Event 2024-04-08
 
Testing with Fewer Resources: Toward Adaptive Approaches for Cost-effective ...
Testing with Fewer Resources:  Toward Adaptive Approaches for Cost-effective ...Testing with Fewer Resources:  Toward Adaptive Approaches for Cost-effective ...
Testing with Fewer Resources: Toward Adaptive Approaches for Cost-effective ...
 
05.02 MMC - Assignment 4 - Image Attribution Lovepreet.pptx
05.02 MMC - Assignment 4 - Image Attribution Lovepreet.pptx05.02 MMC - Assignment 4 - Image Attribution Lovepreet.pptx
05.02 MMC - Assignment 4 - Image Attribution Lovepreet.pptx
 
Testing and Development Challenges for Complex Cyber-Physical Systems: Insigh...
Testing and Development Challenges for Complex Cyber-Physical Systems: Insigh...Testing and Development Challenges for Complex Cyber-Physical Systems: Insigh...
Testing and Development Challenges for Complex Cyber-Physical Systems: Insigh...
 
Basic overview of nerve conduction studies
Basic overview of nerve conduction studiesBasic overview of nerve conduction studies
Basic overview of nerve conduction studies
 
Understanding Post Production changes (PPC) in Clinical Data Management (CDM)...
Understanding Post Production changes (PPC) in Clinical Data Management (CDM)...Understanding Post Production changes (PPC) in Clinical Data Management (CDM)...
Understanding Post Production changes (PPC) in Clinical Data Management (CDM)...
 
Don't Miss Out: Strategies for Making the Most of the Ethena DigitalOpportunity
Don't Miss Out: Strategies for Making the Most of the Ethena DigitalOpportunityDon't Miss Out: Strategies for Making the Most of the Ethena DigitalOpportunity
Don't Miss Out: Strategies for Making the Most of the Ethena DigitalOpportunity
 
GESCO SE Press and Analyst Conference on Financial Results 2024
GESCO SE Press and Analyst Conference on Financial Results 2024GESCO SE Press and Analyst Conference on Financial Results 2024
GESCO SE Press and Analyst Conference on Financial Results 2024
 
Personal Branding Lecture for Advanced Digital & Social Media Strategy at UCL...
Personal Branding Lecture for Advanced Digital & Social Media Strategy at UCL...Personal Branding Lecture for Advanced Digital & Social Media Strategy at UCL...
Personal Branding Lecture for Advanced Digital & Social Media Strategy at UCL...
 

【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】

  • 1. SolarWinds Hacked - find the targets ZY WU & CK Chen
  • 2. About ZY Wu • Threat analysts at Fox-IT intel team • Malware analysis & threat intel • Find me at zong-yu.wu@fox-it.com CK Chen • HITCON Member • HITCON 2021 Review Board Chairman • Researcher, focus on malware analysis, APT investigation and threat intel
  • 3. Agenda • What happened? • Define the supply chain attack • Impact Assessment – Finding the targets • How special it is?
  • 4. Kudos to Danny at Fox-IT YJ at TrendMicro Anonymous Hamster at Exercise wheel
  • 5.
  • 6. CrowdStrike release SUNSPOT investigation report 2021.01.11 2021.01.13 CISA: bypass MFA in cloud services FireEye released Remediation for Microsoft 365 2021.01.19 2021.01.19 MalwareBytes claim to be hacked Microsoft Deep dive into the Solorigate second-stage activation 2021.01.22 2021.02.18 Microsoft Internal Solorigate Investigation – Final Update Microsoft, FireEye New SUNSHUTTLE Backdoor Targeting U.S.- Based Entity 2021.03.04 FireEye hacked, Red team tools leaked 2020.12.09 2020.12.13 CISA issued emergence directive WSJ, REUTERS U.S. Treasury and Commerce departments Hacked 2020.12.13-14 2020.12.15-18 Second malware Supernova discovered Microsoft, FireEye, GoDaddy establish killswitch 2020.12.17 2020.12.17 Microsoft report potential victims Microsoft confirmed source code stolen 2020.12.31 2021.01.05 CISA, DNI, NSA suspect the actor is Russia-based Department of Justice confirmed hacked 2021.01.06
  • 7.
  • 8. AB (A %verb% B) Target Supplier Attacker Target Afraid of (the insider) Relied on Afraid of Supplier Relied on - Afraid of Attacker Interested in Proxy through -
  • 9. Advantage of exploiting Supply Chain • Abuse the trust between supplier and targets • It is possible to find a weaker supplier among those • Compromising a whole range of companies if the major supplier in a sector is taken
  • 10. Attack Against Code Dev. Commit -> Build (Signing) -> Test -> Deploy Commit -> SUNSPOT injects SUNBURST -> Build (Signing) -> Test (SUNBURST stay low) -> Deploy -> SUNBURST’s party time
  • 11. Impact Assessment • More likely espionage purpose, but this is tough to do impact assessment. • In this presentation, I invite you to take a journey with me to picture targeted industry.
  • 12. Malwares on the Desk SUNSPOT (injector) SUNBURST (Beacon) TEARDROP (Loader) RAINDROP (Loader) GoldMax Inside SolarWinds Running at Victims’ Env. SiBot GoldFinder CobaltStrike
  • 13. SUNBURST under X-Ray • The beacon, the backdoor, installed to SolarWinds Orion Platform. • It avoids being launched in any dev. env.
  • 14. SUNBURST under X-Ray The malware use customized FNV-1A hash algorithm to store resources:
  • 15. Malware stays low under these AD domains: It checks antivirus driver/process/service and analysis tool as well. https://github.com/fireeye/sunburst_countermeasures/blob/mai n/hashcat.potfile swdev.local saas.swi emea.sales dmz.local pci.local lab.local apac.lab dev.local swdev.dmz lab.rio cork.lab lab.brno lab.na test Solarwinds SUNBURST was coded like a legitimate class, for example: Encode Process Name in fact Mimicking the legitimate traffic on the Platform
  • 16. SUNBURST under X-Ray • The beacon, the backdoor, installed to SolarWinds Orion Platform. • It avoids being launched in any dev. env. • The callback domain is generated by victim information on DNS protocol. • Stage 1 – on DNS to get the HTTP sever • Stage 2 – on HTTP for the backdoor
  • 17. • There are up to 4 different types (2 encoding x 2 input), giving an example: 57tadh50ha5mr9ah6ee0o6iuir0iwu0c.appsync-api.us-east-1.avsvmcloud.com SUNBURST Callback Protocol Prefix Fixed Random C&C 15 else Encoded GUID Encoded AD domain name 06a4ea63c80ee24a scc.state.va. -> The AD domain can be retrieved by a DNS query! -> Reverse Engineering to decode
  • 18. SUNBURST Callback Protocol • DNS traffic, for those are not running on SSL, is not encrypted • It is possible to gather the domains which were been queried at a certain time by listening the network traffic from the internet backbone. • This dataset is called Passive DNS record.
  • 19. ASSOCIATED [T+AVs] TRUNCATED Backdoor stopped PASSIVE [domain[:15], domain[15:]] Potential Target, Response magic A record Not interesting ACTIVE Backdoor on HTTP [T+AVs + Active bit] Select Target, Response HTTP C&C server at CNAME DGA Encoding method for PASSIVE state DGA Encoding method for ASSOCIATED/ACTIVE state
  • 20. Searching the victims (in PASSIVE mode) 57tadh50ha5mr9ah6ee0o6iuir0iwu0c.appsync-api.us-east-1.avsvmcloud.com m1g39j9sctjtv6m0f6.appsync-api.us-east-1.avsvmcloud.com Prefix Fixed Random C&C 15 else Encoded GUID Encoded AD domain name 06a4ea63c80ee24a scc.state.va. Prefix Fixed Random C&C 15 Encoded GUID 06a4ea63c80ee24a us Add up to scc.state.va.us DGA Encoding method for PASSIVE state
  • 21. Unique entry # PASSIVE 28,737 ASSOCIATED 7,029 ACTIVE 119
  • 22. ASSOCIATED [T+AVs] TRUNCATED Backdoor stopped ACTIVE Backdoor on HTTP [T+AVs + Active bit] Select Target, Response HTTP C&C server at CNAME DGA Encoding method for PASSIVE state DGA Encoding method for ASSOCIATED/ACTIVE state
  • 23. Searching the targets (in ACTIVE mode) 9q5jifedn8aflr4ge3nu.appsync-api.us-east-1.avsvmcloud.com Prefix Fixed Random C&C 8 3 else GUID Meta Running Antivirus 06a4ea63c80ee24a mode=1 active=1 timestamp=2020-05-31 12:00:00 The GUID is mapped to scc.state.va.us DGA Encoding method for ASSOCIATED/ACTIVE state
  • 24. Searching the targets (in ACTIVE mode) scc.state.va.us central.pima.gov mgt.srb.europa fc.gov ddsn.gov phpds.org central.pima.gov Government HQ.FIDELLA lagnr.chevronte xaco.net coxnet.cox.com Energy ng.ds.army.mil nsanet.local Defense corp.qualys.com paloaltonetworks.com logitech.local wctc.msft ggsg-us.cisco.com cisco.com fox.local Tech/CyberSecurity
  • 25. AB (A %verb% B) Target Supplier Attacker Target Afraid of (the insider) Relied on & Afraid of Afraid of Supplier Relied on - Afraid of Attacker Interested in Proxy through -
  • 26. Software Supply Chain While better defense mechanism is deployed, threat actor move their target to the weakest point of supply chain More complicated software -> more complicated supply chain We talk a lot about supply chain, so… What’s the supply chain of you daily used software?
  • 27. Stack Overflow Source Code Library Code Text Book/Doc Copy Code compiler Version Control Static Library Linker Executables CI Release Site Update Dispatch Dynamic library Executables Loader Executing In side your program, do you know where is every component come from? Every step here is possible to be compromised
  • 28. Stack Overflow Source Code Library Code Text Book/Doc Copy Code compiler Version Control Static Library Linker Executables CI Release Site Update Dispatch Dynamic library Executables Loader Executing Stack Overflow Considered Harmful?The Impact of Copy&Paste on Android Application Security(2015)
  • 29. Stack Overflow Source Code Library Code Text Book/Doc Copy Code compiler Version Control Static Library Linker Executables CI Release Site Update Dispatch Dynamic library Executables Loader Executing Malicious event-stream backdoor (2019) Ruby strong_password Backdoor (2019)
  • 34. APTs Utilize Supply Chain Attacks • While most organization gradually enhance their security, adversarial try to compromised the weakest point of partner/supply chain first. ASUS Shadow Hammer(2019) Discovered by Kaspersky ASUS Web Storage(2019) We discover this operation in the same time as ESET
  • 35. APTs Utilize Supply Chain Attacks • While most organization gradually enhance their security, adversarial try to compromised the weakest point of partner/supply chain first. SolarWinds Supply Chain Attack (2021)
  • 36. Highlight TTPs • Supply Chain Attack: Large number of enterprises are potential victims • Compromise DevOps: Keep Stealthy in Develop Environment • Sophiscated Malware: Separate the Malware’s Execution Path • Attacking the Cloud Service
  • 37. Attacking the Cloud Service • Lateral movement from on-premises networks to gain unauthorized access to the victim’s Microsoft 365 environment • Golden SAML Attack • Modify Trusted Domains • Hijack Azure AD Applications • Compromise the credentials of on-premises user accounts that are synchronized to Microsoft 365
  • 38. Mitigation • Threat Hunting for Malicious IoCs • FireEye’s Red Team Tool IoCs • SunBurst IoCs • CISA “Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations” • Summary about the IoCs • https://shorturl.at/fxKTV
  • 39. Mitigation • Mandiant Azure AD Investigator • https://github.com/fireeye/Mandiant-Azure-AD-Investigator • CISA “Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services” • https://github.com/cisagov/Sparrow
  • 40. Lesson Learned • While being compromised is hard to avoid, proactive threat hunting and response to the incident. • Communicate and share with security community • Sophiscated APT attacks • Supply Chain Attack • Compromised DepOp Process • Laverage cloud service attacks • Supply chain security will still be the loophole for enterprises’ security • Using threat intelligence, e.g. PDNS, to help us understand threat actor’s targets • Cloud Services become a new attack vector for LM
  • 41. Q&A