SlideShare a Scribd company logo

Software Supply Chain Attacks (June 2021)

T
TzahiArabov

A June 2021 risk-awareness presentation by Tzahi Arabov

Software
1 of 47
Software Supply Chain Attacks Risk-Awareness Presentation,June 2021 (Brought to you by Tzahi Arabov, Elite Security Champion @ LogMeIn)
The SolarWinds Compromise On Dec. 13, the cyber community became aware of one of the most significant cybersecurity events of our time, impacting both commercial and government organizations around the world. The event was a supply chain attack on SolarWinds OrionⓇ software conducted by suspected nation-state operators (discovered by FireEye)
Events Timeline While ‘SUNBURST’ activity was only identified in December 2020, analysis of campaign details and further analysis of SolarWinds software indicates the event may have started,at least in preparatory phases, over a year prior:
SolarWinds Background • A software company that primarily deals with systems management solutions used by IT Network admins, Operations and Infrastructure teams • The most widely deployed SolarWinds product used to be Orion, a ‘Network Management System’ (NMS), which used to monitor and manage servers, endpoints, network devices etc. • SolarWinds Orion was utilized widely and globally, as high as within the US ‘Department of Defense’ (DoD)
• The attack was a supply-chain based attack, in which an adversary has leveraged the software’s update mechanism. The compromise has been linked to the US ‘Treasury Department’ and the FireEye compromises and was used to inject the ‘SUNBURST' malware / backdoor into the code • When the SolarWinds Orion agent was used, it interrogated systems for communication lines status, which let admins take manual or automated actions with elevated credentials, that were configured by teams with no security or risk-awareness in mind. As such, those were considered 'juicy' targets for hackers
NMS Are Prime Targets for Attackers • NMS are able to communicate with all devices that are managed / monitored • The Orion agent can manually or automatically be used to run commands such as Cisco shutdown / restart, by using the SNMP / WMI protocols • Many NMS are configured to both monitor events and respond to them, meaning that any changes the NMS can make, attackers can too – why have we given away so much power to these tools
SolarWinds Digital Signature – A Piece of Software With A Backdoor • The malware was deployed as an update from SolarWinds' own servers and was digitally-signed by a valid digital certificate bearing their name (issued by Symantec), which strongly points to a supply chain attack
The SolarWinds Attack Framework • Delayed Execution - The ‘SUNBURST' malware checks the filesystem timestamps to ensure that the product has been deployedfor a dormant period of 12-14 daysprior to the current time, before sending its first beacon • An Anti-Sandbox Behavior - Unless the infected device is joined to a domain,the malware will not execute • DNS Resolution& IP AddressCheck - If the malware resolves a domainto a private IP address, the malware will not execute • VMware - Command Injection Vulnerability (CVE-2020-4006) - exists in five VMware software products focused on identityand access management • MS / SAML - The attackershave exfiltratedSAML token signing certificates that allow them to forge tokens and access any resources trusted by those certificates • MFA Bypass - SAML token-forging attack, attacker targeted the “integrationsecret key” used to connect Cisco’s Duo Multi-FactorAuthentication (MFA)solutionto an Outlook Web Access server
Recommendations • Security teams must first review the usage of NMS systems, prior to their usage and educate on risk-awareness accordingly • Implementation of the ‘Security, Orchestration, Automation and Response’ (SOAR) framework should be considered • To limit the ‘Attack Surface’, A 'Zero-Trust' network approach should be used (block access from the NMS to the internet and if explicitly needed, limit the destinations) • A ‘Threat-Modeling’ session should be performed on known risks and the question that should be raised is: “Whether the functionality that would come out of a service, outweighs the risk, or vice versa”
Initiate a ‘Threat Hunt' in your network: • Always prioritize the 'Discovery Coarse of Action’ looking backwards over the 'Detection CoA’, looking forward • The attackers are clearly ‘OPSec'-aware and will likely have changed any filesystem-based ‘Indicators of Compromise’ (IoCs), because the attacker is performing counter-intelligence, IoCs that can be used for the ‘Discovery CoA’ are most useful • Attackers will be re-tooling, so do not anticipate finding specifics for the ‘SUNBURST’ malware
• FireEye noted that the malicious code did not overlap with other malware • Other branded NMS services may as well be configured by Operations / IT teams, which are prioritized for availability and may lack Security in mind • Security teams would do a ‘Threat Modeling' session for the access that a compromise to an NMS would provide • Monitor for intrusions – log everything and more, alert on events and investigate accordingly
• Since supplychain compromises are extremelydifficult to protect against,it highlights the need to for security to be considered as part of the vendorselection process • Supplychain security compromises extend to SaaSapplications – your SaaSvendors do not haveany magic process that make it easier for them to detect such threats • Supplychain attacks mayinfluence the victims' IPO and due-diligence efforts • State-backed attacks are financed bycountries,which budgets are nowhere near the amount ofbudget private securityfirms have at their disposals,combined – thus we must support the global securitycommunities and share everythingwe know and may have suffered Thanks to: Jake Williams @ ‘Rendition Infosec’, (rsec.us), @MalwareJake FireEye PaloAlto Networks Bleeping Computer DomainTools
Open-Source Code Compromises More than 90% of organizations utilize open-source code lately (Gartner) The means of obtaining the code have changed: • In the past – Projects from RedHat, Apache, Intel, IBM etc. • At present - Bitbucket, Github and Gitlab are widely-used to develop and share code • There is no responsible entity to review the open-source code to confirm if it is clean / non-malicious • Application Security solutions are focused on detecting vulnerabilities, but they do not detect attackers in code packages
The Official PHP Git server Was Targeted In An Attempt To Inject Malware Within The Code Base • The official PHP Git server has been compromised in a potential attempt to plant malware in the code base of the PHP project • The PHP programming language developer and maintainer Nikita Popov said that two malicious commits were added to the ‘php-src’ repository in both his name and that of PHP creator Rasmus Lerdorf • As noted by Bleeping Computer, the code appears to be designed to implant a backdoor and create a scenario in which ‘Remote Code Execution’ (RCE) may be possible
• The malicious commits, which appeared to be signed off under the names of Popov and Lerdorf (1,2),were masked as simple typographical errors that needed to be resolved • However, instead of escaping detection by appearing so benign, contributors that took a closer look at the "Fix typo" commits noted malicious code that triggered arbitrary code within the header ‘HTTP_USER_AGENT’ if a string began with content related to ‘Zerodium’
Namespace Shadowing - Dependency Confusion A 'White-Hat' (an ethical hacker), who breached into the Python Artifactory server (JFrog) for alerting purposes and has managed to guess a true dependency package name, then: • Uploaded his own renamed package, using the true legitimate package name, with a higher version number that follow, than the legitimate package’s initial version • He managed to inject his dependency package into MS .NET, Apple, Tesla etc. – all that, with no issues whatsoever on the true developers' side and having the most modern security defense mechanisms After paying the ethical hacker for a 'Bug-Bounty', he admitted to the payer and proved that his own theory worked
Thanks to JFrog
The Codecov Compromise - Hundreds of Networks Reportedly Breached A cyberattackagainstCodecovtookplace aroundJanuary 31, 2021, and wasonlymade publiconApril 15. The organization, whichprovidescode coverageandtestingtools, saidthat a 'threat actor' tamperedwiththe Bashuploaderscript,therebycompromisingthe Codecov-actionsuploaderforGitHub, Codecov CircleCl Orb, andthe CodecovBitriseStep. Thisenabledattackerstoexportdatacontainedinusercontinuousintegration(CI) environments. The companylearned,thatforovertwo months, Codecov’sBashUploaderscriptsusedbyhundredsorthousandsof theircustomershadbeenalteredwithamaliciousline of code that exfiltratedinformationinthe environmentvariablespresentonthe users’CI/CDenvironmentstoanattacker’sIPaddress. Bash Uploaderexfiltratedenvironmentvariablestoattacker’sIPaddress The flaw originateddue toanerror inthe Docker image creationprocess,which, accordingtoCodecov,“allowedthe actortoextractthe credential requiredtomodifyourBash Uploaderscript.” Codecovprovidescode coverage, testing, andstatstoover29,000 companies, andevenhasahandyGitHub appto integrate the tool rightwithinyouropen-source software project. The securityadvisoryreleasedbyCodecov stronglyadviseduserstoresetall of theircredentials, tokens, orkeysthatwere presentinthe environmentvariablesintheirCIprocesses that usedCodecov uploaders Hundredsof clientswere potentiallyimpacted,andnow, Rapid7hasconfirmedtheywereone of them. Rapid7says the Bash uploaderwasusedinalimitedfashionasitwasonlysetupon a single CIserverusedtotestand buildtoolinginternallyforthe ManagedDetectionand Response (MDR) service. Assuch, the attackerwas keptawayfromtheirproductcode, buttheywere able toaccess a "small subsetof source code repositories" forMDR, internal credentials-- all of which have now beenrotated-- andalert-relateddataforsome MDR customers.
Click to add text Although the initial compromise seemed limited to Codecov’s Bash Uploader, the scope of this breach was found to have expanded well beyond just that, when U.S. federal investigators hinted at hundredsof client networks having been breached by hackers as they managed to collect customer credentialsusing the taintedBash Uploader tool. HashiCorp disclosed that their GPG private key used to sign and validate software packages had been exposed as a result of this incident.
NPM Package – “Discord.dll” “Discord.dll”: Successor to NPM "fallguys" malware went undetected for 5 months 'SonaType Security Research' team has identified a series of counterfeit components in the NPM ecosystem: • A "fallguys" group attacker has written a malicious Python library and has used the Discord gaming community's chat platform to steal SSH keys • Such intentionally malicious packages seem to be doing similar, shady things to the malicious "fallguys" NPM package discovered in September 2020 (stolen web browser files and Discord gaming chats) • The new packages in question were published by the same NPM author, whose NPM account also contained what looked like legitimate packages with genuine use cases
Infected Discord files: • Discord.dll, Discord.app etc. The attackercollected sensitive data then sent the data to the attackers via the Discord platform Thanks to Sonatype Security
The Octopus Scanner • Targeted Java developers • Infects the development environment • Injects itself into complied software
The maliciouscode takes over the ‘clean’ developer'senvironment.Any additionalcode the developer creates afterwards, gets injected with the same maliciouscode. • As a dependencycontributor – yourinfected code gets unwillingly andunknowinglywidespreadto the masses Thanks to Security Lab
North Korea Targeting Security Researchers North Korea has decided the best way to reach her favorite targets is to gain access to software supply chain. • Several cyber security researchers were manipulated to assist the North Korean cyber security researchers. • Selected code that belongs to the ‘good guys’ was poisoned and has allowed access to their computers, their code, their secrets and zero- day information.
NPM Package – "event-stream" • A user named '@right9ctrl' has asked and eventually was granted permissions • He added a new dependency to the project • The new dependency contained malicious code A known NPM package named 'event-stream@3.3.6', which was not maintained by its initial contributor any longer, was handed over to another contributor: • The offender contributor intentionally added a piece of code that scanned and parsed the host computer's clipboard contents, trying to locate Bitcoin wallet addresses. When it was discovered, the first contributor has denied any ties to the code's history progress. He added that whoever decided to use the code, should be blaming themselves.
Supply Chain Attacks Are Difficult To Be Detected By Current Code Security Solutions • The current security systems are designed to detect bugs that lead to vulnerabilities • They are based on static analysis – ineffective in the detection of malicious behavior • Longer mean time to detect (MTTD) – due to manual research
Current Available Solutions and Work-In- Progress The US President has recently signed a presidential act that would deal with the software supply chain subject - 'Software Bill of Material' (which already exists for some time), that would lead to transparency and order: • Who is the code supplier and details about his reputation history • The code history and processes it went through so far • How was the code reviewed / what are the used libraries, classes etc. US organizations heavily push forward to this new initiative, as most of their critical systems are vulnerable to supply chain attacks.
Detecting Supply-Chain Attacks In Code Packages • A Platform for Code Packages Behavioral Analysis & Detection of Open-source Software Supply-Chain Attacks Thanks to Tzachi Zorn, Co-Founder & CEO @ ‘Dustico’ Dustico - https://dusti.co/
‘SLSA’ - A Mitigation Solution by Google SLSA (pronounced "salsa") is an End-to-End Framework for Supply Chain Integrity: The proposed solution is ‘Supply chain Levels for Software Artifacts’ (SLSA), an end-to-end framework for ensuring the integrity of software artifacts throughout the software supply chain: • It is inspired by Google’s internal “Binary Authorization for Borg” which has been in use for the past 8+ years and is mandatory for all of Google's production workloads • The goal of SLSA is to improve the state of the industry, particularly open source, to defend against the most pressing integrity threats • With SLSA, consumers can make informed choices about the security posture of the software they consume
How SLSA Might Help SLSA helps to protect against common supply chain attacks. The following image illustrates a typical software supply chain and includes examples of attacks that can occur at every link in the chain. Each type of attack has occurred over the past several years and, unfortunately, is increasing as time goes on -
Threat Known example How SLSA could have helped A Submit bad code to the sourcerepository Linux hypocrite commits: Researcher attempted to intentionally introducevulnerabilitiesinto the Linux kernel via patches on the mailinglist. Two-person review caught most, but not all,of the vulnerabilities. B Compromise sourcecontrol platform PHP: Attacker compromised PHP’s self-hosted gitserver and injected two maliciouscommits. A better-protected sourcecode platformwould have been a much harder target for the attackers. C Build with official process butfromcode not matching sourcecontrol Webmin: Attacker modified the build infrastructureto use sourcefiles notmatching sourcecontrol. A SLSA-compliantbuild server would have produced provenance identifyingthe actual sources used,allowing consumers to detect such tampering. D Compromise build platform SolarWinds:Attacker compromised the build platform and installed an implantthatinjected malicious behavior duringeach build. Higher SLSA levels requirestronger security controls for the build platform,makingitmore difficultto compromiseand gain persistence. E Use bad dependency (i.e. A-H, recursively) event-stream: Attacker added an innocuous dependency and then updated the dependency to add malicious behavior.The update did not match the code submitted to GitHub (i.e. attack F). ApplyingSLSA recursively to all dependencies would have prevented this particular vector,becausethe provenance would have indicated that iteither wasn’t builtfrom a proper builder or that the sourcedid not come from GitHub. F Upload an artifactthatwas not builtby the CI/CD system CodeCov: Attacker used leaked credentials to upload a maliciousartifactto a GCS bucket, from which users download directly. Provenance of the artifactin the GCS bucket would have shown that the artifactwas not builtin the expected manner from the expected sourcerepo. G Compromise packagerepository Attacks on PackageMirrors:Researcher ran mirrors for several popular packagerepositories,which could have been used to serve malicious packages. Similar to above(F), provenance of the malicious artifacts would haveshown that they were not builtas expected or from the expected sourcerepo. H Trick consumer into usingbad package Browserify typosquatting: Attacker uploaded a malicious packagewith a similarnameas the original. SLSA does not directly address this threat,but provenance linkingback to sourcecontrol can enable and enhance other solutions.
SLSA URL: https://security.googleblog.com/2021/06/introducing-slsa-end-to-end-framework.html SLSA is a practical framework for end-to-end software supply chain integrity, based on a model proven to work at scale in one of the world’s largest software engineering organizations. Achieving the highest level of SLSA for most projects may be difficult, but incremental improvements recognized by lower SLSA levels will already go a long way toward improving the security of the open-source ecosystem. Thanks to Patrick Mathieu, Sr. Manager, Offensive Security @ LogMeIn
Additional Security-Related ”Don’t Say You Were Not Warned...” • 80% of companies that pay a Ransomeware ransom are exploited again - with about 1/2 of them believing it was the same group in the subsequent attack. Is that enough proof that paying a ransom is not a good strategy? If your security controls weren't good enough to stop the ransomware, they definitely aren't good enough to detect a root kit - https://www.zdnet.com/article/most-firms-face-second- ransomware-attack-after-paying-off-first/#ftag=RSSbaffb68 Thanks to Michael Fischer, Sr. Manager, Product Security @ LogMeIn
7 Cybersecurity Breaches In 2020 & How They Could Have Been Prevented 1. Solarwinds: Third Party Infiltration (covered above) 2. Portnox: Network Penetration 3. Pulse Secure: VPN Vulnerabilities 4. Marriot: Fraudulent Login from Stolen Details 5. Cisco: Disgruntled Former Employee 6. University of California: Ransomware 7. UN Maritime Agency: Possible Watering Hole Attack URL: https://cyolo.io/blog/7-data-cybersecurity-breaches-in-2020-how-they- could-have-been-prevented/
And Last, But Not Least – Shirbit Insurance Israel Shaken By Data Leak After Ransomware Attack At ‘Shirbit Insurance’ Company: • Hackers leak screenshot of negotiationwith breached insurance giant • Israeli government reportedly reconsidering relationship withinsurance firm following security breach A hacking gang calling itself Black Shadow has demandeda giant insurance firm pay a US $3.8 millionransom after encrypting and stealing sensitive dataand documentsabout its clients. Customers of the victim, Israel’s Shirbit insurance company, havebeen advised to consider obtainingnew identitycards and driving licenses due to the risk of identitytheft after the hackers released a third wave of stolen data this past weekend. Leaked data has includedscans of identitycards, marriage certificates, and financialand medical documents. URL: https://hotforsecurity.bitdefender.com/blog/israel-shaken-by-data-leak-after-ransomware-attack-at- shirbit-insurance-company-24786.html
Q&A Thank You ! Tzahi Arabov, Elite Security Champion @ LogMeIn arabov@outlook.com https://www.linkedin.com/in/arabov
Appendix TL/DR: Incidents In Detail
The SolarWinds Compromise On Dec. 13, the cyber community became aware of one of the mostsignificant cybersecurity events of our time, impacting both commercial and government organizations around the world. The event was a supply chain attack on SolarWinds OrionⓇ software conducted by suspected nation-state operators (discovered by FireEye): • SolarWinds has mentioned that a vulnerability which existed until the March-June 2020 timeframe, was leveraged to take advantageof their 'Orion' software product • Evidence existand shows the attackers’ ‘Command and Control’(C2) infrastructure was set up as early as August 2019. The first modified SolarWinds software was released in October 2019, and the earliest related Cobalt Strike identified payload was generated using Cobalt Strike 4.0, which was built in December 2019 More On NMS • Even when NMS are configured to only monitor (read-only), the credentials used would still offer some level of access to an attacker (read configurations, list processes etc.) • In a situation that an attacker compromises NMS, he could usually reshape network traffic for man-in-the-middle (MitM) / person-in-the-middle / monkey-in-the-middle opportunities and might then use credentials for system monitoring, to laterally move to target systems (if the Orion NMS agent is domain-joined, other service accounts that exist there might allow an attacker to leverage and laterally move within the environment)
The SolarWinds Attack Framework– Delayed Execution • The ‘SUNBURST' malware checks the filesystem timestamps to ensure that the product has been deployed for a dormant period of 12-14 days prior to the current time, before it sends its first beacon: • The sample would only execute if the filesystem write time of the assemblyis at least 12-14 days prior to the current time (the exact threshold is selected randomly from an interval) • The sample continues to check the time threshold, as it is run by a legitimate recurring background task • Once the threshold is met, the sample creates a ‘named pipe’ to act as a guard that only one instance is running before reading the specific file 'SolarWinds.Orion.Core.BusinessLayer.dll.config'from disk and retrieving the XML field 'appSettings’ • The 'appSettings' field's keys are legitimate values that the malicious logic re-purposes as a persistent configuration • The key 'ReportWatcherRetry' mustbe any value other than ‘3’, for the sample to continue execution This delayed execution maliciously and effectively prevents the counter-measure usage of malware sandboxes and other instrumented environments to detect it – in this case, even if a staging environment would have been used to test out the infected update prior to its deployment to make certain malicious activities are avoided, it would leave the sandbox environment and be rolled out within much less than 12 days (within 18,000 customers).
The SolarWinds Attack Framework– Anti-Sandbox Behavior According to FireEye, unless the infected device is joined to a domain, the malware will not execute: • The sample checks that the machine is domain-joined then retrieves the domain name before execution continues • A 'userID' is generated by computing the MD5 of all network interface MAC addresses that are up and not loopback devices, the domain name, and the registry value 'HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyMachineGuid’ • The 'userID' is encoded via a custom XOR scheme after the MD5 is calculated • The 'ReportWatcherPostpone' key of 'appSettings' is then read from ‘SolarWinds.Orion.Core.BusinessLayer.dll.config'to retrieve the initial, legitimate value • This operation is performed as the sample later bit packs flags into this field and the initial value must be known in order to read out the bit flags • The sample then invokes the method 'Update', which is the core event loop of the sample
The SolarWinds Attack Framework – VMware: The ‘National Security Agency’ (NSA) released an advisory about CVE- 2020-4006: A command injection vulnerability, stating that Russian state-sponsored actors were actively exploiting the vulnerability and suggesting US Government agencies patch immediately. This vulnerability exists in five VMware software products focused on identity and access management. Exploitation allows attackers to deploy a ‘web shell’ on the system and gain access to protected data. This vulnerability can only be exploited by someone who has already authenticated to the system and indicates that when leveraged, it likely is used to gain additional access once the attacker is already inside the networks. More information about CVE-2020-4006 can be found in our previously released Threat Brief: VMware Command Injection Vulnerability
The SolarWinds Attack Framework - Microsoft / SAML: Microsoft has published multiple reports on activity related to this attack campaign, including a summary of the backdoor implanted into SolarWinds OrionⓇ (referred to by Microsoft as ‘Solorigate’),as well as guidance for their customers on protecting themselves. They have publicly statedthey are working with more than 40 companies who have been targeted in this attack • One specific component of the attackthat Microsoft has discussed in detail is what they have observed in compromised networks with regard to identity infrastructure. Specifically,the attackers have exfiltrated SAML token signing certificates, that allow them to forge tokens and access any resources trustedby those certificates. Microsoft has observed these forged tokens presented to the Microsoft cloud on behalf of their customers • The impact of a compromise of these certificatesimplies the attacker gained the highest level of privileges inside the network and used them to establish long-term access to the network
The SolarWinds Attack Framework - SUPERNOVA Web Shell: FireEye’s initial report on the SolarWinds compromise included indicators for a ‘web shell’ they call SUPERNOVA. FireEye has removed those indicators as they no longer believe they were used as a result of the SolarWinds software compromise. This ‘web shell’ may not be related, but it is still vital to defend against it The SolarWinds Attack Framework - MFA Bypass: The SAML token-forging attack described above would allow an attacker to evade multi-factor authentication systems, as in that case, the authentication system itself is compromised. Volexity published a report about a threat group named Dark Halo who they have now connectedto the SolarWinds compromise. Their report describes that the attacker targeted the “integration secret key” used to connect Cisco’s Duo Multi-Factor Authentication (MFA) solution to an Outlook Web Access server. With that key, they were able to pre-computethe token codes necessary for authentication Similar to the SAML token-forging attack, this MFA bypass requires a significant compromise of the systems used to authenticate users and would have been performed post-compromiseto extend the attacker’s access to the network
Open Source Code Attacks - Official PHP Server Targeted: On the PHP Git server, an attacker group has managed to gain access and has added malicious code that caused that any PHP server with a specific version number and onwards, with the "zerodium" word, will run the malicious code that follows. Basically, the code checked if the HTTP request included the header "HTTP_USER_AGENT" and began with the word "zerodium". If so, it would inject the rest of the string as PHP code. Eventually, the malicious code was discovered by an occasion and was removed. However, in the eyes of infosec teams, such a code might seem normal, but the fact that the malicious code or a part of it was removed, does not mean a full-scale attack was over. We cannot assume that other programming languages were not affected as well. Attackers never stop once their attack was stopped.
Additional Past Supply Chain Attacks • September 2015 – XcodeGhost: An attacker distributed a version ofApple’s Xcode software (used to build iOS and macOS applications),which injected additional code into iOSapps built usingit.This attackresulted in thousands ofcompromised apps identified in Apple’s app store • March 2016 – KeRanger: Popularopen source BitTorrent client,Transmission,was compromised to include macOSransomware in its installer.Attackers compromised the legitimate servers used to distribute Transmission,so users who downloaded and installed the programwould be infected with malware that held their files for ransom • June 2017 – NotPetya: Attackers compromised a Ukrainian software companyand distributed a destructive payloadwith network- worm capabilities through an update to the “MeDoc” financial software.After infectingsystems usingthe software, the malware spread to other hosts in the network and caused a worldwide disruption affectingmanyorganizations • September 2017 – CCleaner: Attackers compromised Avast’s CCleanertool,used bymillions to help keep their PC working properly.The compromise was used to target large technologyand telecommunications companies worldwide with a second-stage payload • In September 2019, attackers again likelytargeted Avast’s CCleaner tool after gainingaccess to Avast’s networkthrough a temporaryVPN profile.It is not clear whether or not,the same operators from 2017 were involved in this incident In each case, includingthe recent SolarWinds compromise, rather than targetingan organizationdirectlythrough phishingor exploitation ofvulnerabilities,the attackers chose to compromise software developers directlyand use the trust we place in them to access other networks.This can effectivelyevade certain prevention and detectioncontrols that have been tuned to trust well-known programs This pattern ofsoftware supplychain compromises will continue,and securityteams can not afford to ignore them. Protecting against these attacks is not simple for anyenterprise, and those who are responsible for writingand deployingsoftware need to take responsibilityforthe integrityofthat code

Recommended

Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
 
APT - Project
APT - Project APT - Project
APT - Project Dev Lavaniya
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network SecurityHarish Chaudhary
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisAntonio Parata
 
Insecure magazine - 52
Insecure magazine - 52Insecure magazine - 52
Insecure magazine - 52Felipe Prado
 
Operational Technology Security Solution for Utilities
Operational Technology Security Solution for UtilitiesOperational Technology Security Solution for Utilities
Operational Technology Security Solution for UtilitiesKrishna Chennareddy
 
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary Reading
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary ReadingThe Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary Reading
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary ReadingMuhammad FAHAD
 
Chapter 9 system penetration [compatibility mode]
Chapter 9 system penetration [compatibility mode]Chapter 9 system penetration [compatibility mode]
Chapter 9 system penetration [compatibility mode]Setia Juli Irzal Ismail
 

Recommended

Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
 
APT - Project
APT - Project APT - Project
APT - Project Dev Lavaniya
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network SecurityHarish Chaudhary
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisAntonio Parata
 
Insecure magazine - 52
Insecure magazine - 52Insecure magazine - 52
Insecure magazine - 52Felipe Prado
 
Operational Technology Security Solution for Utilities
Operational Technology Security Solution for UtilitiesOperational Technology Security Solution for Utilities
Operational Technology Security Solution for UtilitiesKrishna Chennareddy
 
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary Reading
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary ReadingThe Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary Reading
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary ReadingMuhammad FAHAD
 
Chapter 9 system penetration [compatibility mode]
Chapter 9 system penetration [compatibility mode]Chapter 9 system penetration [compatibility mode]
Chapter 9 system penetration [compatibility mode]Setia Juli Irzal Ismail
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】Hacks in Taiwan (HITCON)
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Mobodexter
 
Globally.docx
Globally.docxGlobally.docx
Globally.docxGermanERuizCorrales
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTSimone Onofri
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsRedhuntLabs2
 
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISORINLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISORNeha Rana
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...IRJET Journal
 
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Stefano Maccaglia
 
NetworkWorld-SafeBreach
NetworkWorld-SafeBreachNetworkWorld-SafeBreach
NetworkWorld-SafeBreachDan Kunkel
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementMayur Nanotkar
 
IRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing SuiteIRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing SuiteIRJET Journal
 
Incident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceIncident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceChristopher Gerritz
 
security onion
security onionsecurity onion
security onionBoni Yeamin
 
Tech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs WhitelistingTech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs WhitelistingInvincea, Inc.
 
Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Alert Logic
 
Toward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationToward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationE.S.G. JR. Consulting, Inc.
 
Toward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network AutomationToward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network AutomationKen Flott
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfPower Karaoke
 

More Related Content

Similar to Software Supply Chain Attacks (June 2021)

【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】Hacks in Taiwan (HITCON)
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Mobodexter
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTSimone Onofri
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsRedhuntLabs2
 
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISORINLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISORNeha Rana
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...IRJET Journal
 
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Stefano Maccaglia
 
NetworkWorld-SafeBreach
NetworkWorld-SafeBreachNetworkWorld-SafeBreach
NetworkWorld-SafeBreachDan Kunkel
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementMayur Nanotkar
 
IRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing SuiteIRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing SuiteIRJET Journal
 
Incident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceIncident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceChristopher Gerritz
 
Tech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs WhitelistingTech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs WhitelistingInvincea, Inc.
 
Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Alert Logic
 
Toward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationToward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationE.S.G. JR. Consulting, Inc.
 
Toward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network AutomationToward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network AutomationKen Flott
 

Similar to Software Supply Chain Attacks (June 2021) (20)

【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
 
Globally.docx
Globally.docxGlobally.docx
Globally.docx
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APT
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt Labs
 
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISORINLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
INLINE_PATCH_PROXY_FOR_XEN_HYPERVISOR
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
 
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
 
NetworkWorld-SafeBreach
NetworkWorld-SafeBreachNetworkWorld-SafeBreach
NetworkWorld-SafeBreach
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security Management
 
IRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing SuiteIRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing Suite
 
Incident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceIncident Response for the Work-from-home Workforce
Incident Response for the Work-from-home Workforce
 
security onion
security onionsecurity onion
security onion
 
Tech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs WhitelistingTech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs Whitelisting
 
Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015
 
Toward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationToward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network Automation
 
Toward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network AutomationToward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network Automation
 

Recently uploaded

chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfPower Karaoke
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)jennyeacort
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 

Recently uploaded (20)

chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 

Software Supply Chain Attacks (June 2021)

  • 1. Software Supply Chain Attacks Risk-Awareness Presentation,June 2021 (Brought to you by Tzahi Arabov, Elite Security Champion @ LogMeIn)
  • 2. The SolarWinds Compromise On Dec. 13, the cyber community became aware of one of the most significant cybersecurity events of our time, impacting both commercial and government organizations around the world. The event was a supply chain attack on SolarWinds OrionⓇ software conducted by suspected nation-state operators (discovered by FireEye)
  • 3. Events Timeline While ‘SUNBURST’ activity was only identified in December 2020, analysis of campaign details and further analysis of SolarWinds software indicates the event may have started,at least in preparatory phases, over a year prior:
  • 4. SolarWinds Background • A software company that primarily deals with systems management solutions used by IT Network admins, Operations and Infrastructure teams • The most widely deployed SolarWinds product used to be Orion, a ‘Network Management System’ (NMS), which used to monitor and manage servers, endpoints, network devices etc. • SolarWinds Orion was utilized widely and globally, as high as within the US ‘Department of Defense’ (DoD)
  • 5. • The attack was a supply-chain based attack, in which an adversary has leveraged the software’s update mechanism. The compromise has been linked to the US ‘Treasury Department’ and the FireEye compromises and was used to inject the ‘SUNBURST' malware / backdoor into the code • When the SolarWinds Orion agent was used, it interrogated systems for communication lines status, which let admins take manual or automated actions with elevated credentials, that were configured by teams with no security or risk-awareness in mind. As such, those were considered 'juicy' targets for hackers
  • 6.
  • 7. NMS Are Prime Targets for Attackers • NMS are able to communicate with all devices that are managed / monitored • The Orion agent can manually or automatically be used to run commands such as Cisco shutdown / restart, by using the SNMP / WMI protocols • Many NMS are configured to both monitor events and respond to them, meaning that any changes the NMS can make, attackers can too – why have we given away so much power to these tools
  • 8. SolarWinds Digital Signature – A Piece of Software With A Backdoor • The malware was deployed as an update from SolarWinds' own servers and was digitally-signed by a valid digital certificate bearing their name (issued by Symantec), which strongly points to a supply chain attack
  • 9. The SolarWinds Attack Framework • Delayed Execution - The ‘SUNBURST' malware checks the filesystem timestamps to ensure that the product has been deployedfor a dormant period of 12-14 daysprior to the current time, before sending its first beacon • An Anti-Sandbox Behavior - Unless the infected device is joined to a domain,the malware will not execute • DNS Resolution& IP AddressCheck - If the malware resolves a domainto a private IP address, the malware will not execute • VMware - Command Injection Vulnerability (CVE-2020-4006) - exists in five VMware software products focused on identityand access management • MS / SAML - The attackershave exfiltratedSAML token signing certificates that allow them to forge tokens and access any resources trusted by those certificates • MFA Bypass - SAML token-forging attack, attacker targeted the “integrationsecret key” used to connect Cisco’s Duo Multi-FactorAuthentication (MFA)solutionto an Outlook Web Access server
  • 10. Recommendations • Security teams must first review the usage of NMS systems, prior to their usage and educate on risk-awareness accordingly • Implementation of the ‘Security, Orchestration, Automation and Response’ (SOAR) framework should be considered • To limit the ‘Attack Surface’, A 'Zero-Trust' network approach should be used (block access from the NMS to the internet and if explicitly needed, limit the destinations) • A ‘Threat-Modeling’ session should be performed on known risks and the question that should be raised is: “Whether the functionality that would come out of a service, outweighs the risk, or vice versa”
  • 11. Initiate a ‘Threat Hunt' in your network: • Always prioritize the 'Discovery Coarse of Action’ looking backwards over the 'Detection CoA’, looking forward • The attackers are clearly ‘OPSec'-aware and will likely have changed any filesystem-based ‘Indicators of Compromise’ (IoCs), because the attacker is performing counter-intelligence, IoCs that can be used for the ‘Discovery CoA’ are most useful • Attackers will be re-tooling, so do not anticipate finding specifics for the ‘SUNBURST’ malware
  • 12. • FireEye noted that the malicious code did not overlap with other malware • Other branded NMS services may as well be configured by Operations / IT teams, which are prioritized for availability and may lack Security in mind • Security teams would do a ‘Threat Modeling' session for the access that a compromise to an NMS would provide • Monitor for intrusions – log everything and more, alert on events and investigate accordingly
  • 13. • Since supplychain compromises are extremelydifficult to protect against,it highlights the need to for security to be considered as part of the vendorselection process • Supplychain security compromises extend to SaaSapplications – your SaaSvendors do not haveany magic process that make it easier for them to detect such threats • Supplychain attacks mayinfluence the victims' IPO and due-diligence efforts • State-backed attacks are financed bycountries,which budgets are nowhere near the amount ofbudget private securityfirms have at their disposals,combined – thus we must support the global securitycommunities and share everythingwe know and may have suffered Thanks to: Jake Williams @ ‘Rendition Infosec’, (rsec.us), @MalwareJake FireEye PaloAlto Networks Bleeping Computer DomainTools
  • 14. Open-Source Code Compromises More than 90% of organizations utilize open-source code lately (Gartner) The means of obtaining the code have changed: • In the past – Projects from RedHat, Apache, Intel, IBM etc. • At present - Bitbucket, Github and Gitlab are widely-used to develop and share code • There is no responsible entity to review the open-source code to confirm if it is clean / non-malicious • Application Security solutions are focused on detecting vulnerabilities, but they do not detect attackers in code packages
  • 15. The Official PHP Git server Was Targeted In An Attempt To Inject Malware Within The Code Base • The official PHP Git server has been compromised in a potential attempt to plant malware in the code base of the PHP project • The PHP programming language developer and maintainer Nikita Popov said that two malicious commits were added to the ‘php-src’ repository in both his name and that of PHP creator Rasmus Lerdorf • As noted by Bleeping Computer, the code appears to be designed to implant a backdoor and create a scenario in which ‘Remote Code Execution’ (RCE) may be possible
  • 16. • The malicious commits, which appeared to be signed off under the names of Popov and Lerdorf (1,2),were masked as simple typographical errors that needed to be resolved • However, instead of escaping detection by appearing so benign, contributors that took a closer look at the "Fix typo" commits noted malicious code that triggered arbitrary code within the header ‘HTTP_USER_AGENT’ if a string began with content related to ‘Zerodium’
  • 17. Namespace Shadowing - Dependency Confusion A 'White-Hat' (an ethical hacker), who breached into the Python Artifactory server (JFrog) for alerting purposes and has managed to guess a true dependency package name, then: • Uploaded his own renamed package, using the true legitimate package name, with a higher version number that follow, than the legitimate package’s initial version • He managed to inject his dependency package into MS .NET, Apple, Tesla etc. – all that, with no issues whatsoever on the true developers' side and having the most modern security defense mechanisms After paying the ethical hacker for a 'Bug-Bounty', he admitted to the payer and proved that his own theory worked
  • 19. The Codecov Compromise - Hundreds of Networks Reportedly Breached A cyberattackagainstCodecovtookplace aroundJanuary 31, 2021, and wasonlymade publiconApril 15. The organization, whichprovidescode coverageandtestingtools, saidthat a 'threat actor' tamperedwiththe Bashuploaderscript,therebycompromisingthe Codecov-actionsuploaderforGitHub, Codecov CircleCl Orb, andthe CodecovBitriseStep. Thisenabledattackerstoexportdatacontainedinusercontinuousintegration(CI) environments. The companylearned,thatforovertwo months, Codecov’sBashUploaderscriptsusedbyhundredsorthousandsof theircustomershadbeenalteredwithamaliciousline of code that exfiltratedinformationinthe environmentvariablespresentonthe users’CI/CDenvironmentstoanattacker’sIPaddress. Bash Uploaderexfiltratedenvironmentvariablestoattacker’sIPaddress The flaw originateddue toanerror inthe Docker image creationprocess,which, accordingtoCodecov,“allowedthe actortoextractthe credential requiredtomodifyourBash Uploaderscript.” Codecovprovidescode coverage, testing, andstatstoover29,000 companies, andevenhasahandyGitHub appto integrate the tool rightwithinyouropen-source software project. The securityadvisoryreleasedbyCodecov stronglyadviseduserstoresetall of theircredentials, tokens, orkeysthatwere presentinthe environmentvariablesintheirCIprocesses that usedCodecov uploaders Hundredsof clientswere potentiallyimpacted,andnow, Rapid7hasconfirmedtheywereone of them. Rapid7says the Bash uploaderwasusedinalimitedfashionasitwasonlysetupon a single CIserverusedtotestand buildtoolinginternallyforthe ManagedDetectionand Response (MDR) service. Assuch, the attackerwas keptawayfromtheirproductcode, buttheywere able toaccess a "small subsetof source code repositories" forMDR, internal credentials-- all of which have now beenrotated-- andalert-relateddataforsome MDR customers.
  • 20. Click to add text Although the initial compromise seemed limited to Codecov’s Bash Uploader, the scope of this breach was found to have expanded well beyond just that, when U.S. federal investigators hinted at hundredsof client networks having been breached by hackers as they managed to collect customer credentialsusing the taintedBash Uploader tool. HashiCorp disclosed that their GPG private key used to sign and validate software packages had been exposed as a result of this incident.
  • 21. NPM Package – “Discord.dll” “Discord.dll”: Successor to NPM "fallguys" malware went undetected for 5 months 'SonaType Security Research' team has identified a series of counterfeit components in the NPM ecosystem: • A "fallguys" group attacker has written a malicious Python library and has used the Discord gaming community's chat platform to steal SSH keys • Such intentionally malicious packages seem to be doing similar, shady things to the malicious "fallguys" NPM package discovered in September 2020 (stolen web browser files and Discord gaming chats) • The new packages in question were published by the same NPM author, whose NPM account also contained what looked like legitimate packages with genuine use cases
  • 22. Infected Discord files: • Discord.dll, Discord.app etc. The attackercollected sensitive data then sent the data to the attackers via the Discord platform Thanks to Sonatype Security
  • 23. The Octopus Scanner • Targeted Java developers • Infects the development environment • Injects itself into complied software
  • 24. The maliciouscode takes over the ‘clean’ developer'senvironment.Any additionalcode the developer creates afterwards, gets injected with the same maliciouscode. • As a dependencycontributor – yourinfected code gets unwillingly andunknowinglywidespreadto the masses Thanks to Security Lab
  • 25. North Korea Targeting Security Researchers North Korea has decided the best way to reach her favorite targets is to gain access to software supply chain. • Several cyber security researchers were manipulated to assist the North Korean cyber security researchers. • Selected code that belongs to the ‘good guys’ was poisoned and has allowed access to their computers, their code, their secrets and zero- day information.
  • 26. NPM Package – "event-stream" • A user named '@right9ctrl' has asked and eventually was granted permissions • He added a new dependency to the project • The new dependency contained malicious code A known NPM package named 'event-stream@3.3.6', which was not maintained by its initial contributor any longer, was handed over to another contributor: • The offender contributor intentionally added a piece of code that scanned and parsed the host computer's clipboard contents, trying to locate Bitcoin wallet addresses. When it was discovered, the first contributor has denied any ties to the code's history progress. He added that whoever decided to use the code, should be blaming themselves.
  • 27. Supply Chain Attacks Are Difficult To Be Detected By Current Code Security Solutions • The current security systems are designed to detect bugs that lead to vulnerabilities • They are based on static analysis – ineffective in the detection of malicious behavior • Longer mean time to detect (MTTD) – due to manual research
  • 28. Current Available Solutions and Work-In- Progress The US President has recently signed a presidential act that would deal with the software supply chain subject - 'Software Bill of Material' (which already exists for some time), that would lead to transparency and order: • Who is the code supplier and details about his reputation history • The code history and processes it went through so far • How was the code reviewed / what are the used libraries, classes etc. US organizations heavily push forward to this new initiative, as most of their critical systems are vulnerable to supply chain attacks.
  • 29. Detecting Supply-Chain Attacks In Code Packages • A Platform for Code Packages Behavioral Analysis & Detection of Open-source Software Supply-Chain Attacks Thanks to Tzachi Zorn, Co-Founder & CEO @ ‘Dustico’ Dustico - https://dusti.co/
  • 30. ‘SLSA’ - A Mitigation Solution by Google SLSA (pronounced "salsa") is an End-to-End Framework for Supply Chain Integrity: The proposed solution is ‘Supply chain Levels for Software Artifacts’ (SLSA), an end-to-end framework for ensuring the integrity of software artifacts throughout the software supply chain: • It is inspired by Google’s internal “Binary Authorization for Borg” which has been in use for the past 8+ years and is mandatory for all of Google's production workloads • The goal of SLSA is to improve the state of the industry, particularly open source, to defend against the most pressing integrity threats • With SLSA, consumers can make informed choices about the security posture of the software they consume
  • 31. How SLSA Might Help SLSA helps to protect against common supply chain attacks. The following image illustrates a typical software supply chain and includes examples of attacks that can occur at every link in the chain. Each type of attack has occurred over the past several years and, unfortunately, is increasing as time goes on -
  • 32.
  • 33. Threat Known example How SLSA could have helped A Submit bad code to the sourcerepository Linux hypocrite commits: Researcher attempted to intentionally introducevulnerabilitiesinto the Linux kernel via patches on the mailinglist. Two-person review caught most, but not all,of the vulnerabilities. B Compromise sourcecontrol platform PHP: Attacker compromised PHP’s self-hosted gitserver and injected two maliciouscommits. A better-protected sourcecode platformwould have been a much harder target for the attackers. C Build with official process butfromcode not matching sourcecontrol Webmin: Attacker modified the build infrastructureto use sourcefiles notmatching sourcecontrol. A SLSA-compliantbuild server would have produced provenance identifyingthe actual sources used,allowing consumers to detect such tampering. D Compromise build platform SolarWinds:Attacker compromised the build platform and installed an implantthatinjected malicious behavior duringeach build. Higher SLSA levels requirestronger security controls for the build platform,makingitmore difficultto compromiseand gain persistence. E Use bad dependency (i.e. A-H, recursively) event-stream: Attacker added an innocuous dependency and then updated the dependency to add malicious behavior.The update did not match the code submitted to GitHub (i.e. attack F). ApplyingSLSA recursively to all dependencies would have prevented this particular vector,becausethe provenance would have indicated that iteither wasn’t builtfrom a proper builder or that the sourcedid not come from GitHub. F Upload an artifactthatwas not builtby the CI/CD system CodeCov: Attacker used leaked credentials to upload a maliciousartifactto a GCS bucket, from which users download directly. Provenance of the artifactin the GCS bucket would have shown that the artifactwas not builtin the expected manner from the expected sourcerepo. G Compromise packagerepository Attacks on PackageMirrors:Researcher ran mirrors for several popular packagerepositories,which could have been used to serve malicious packages. Similar to above(F), provenance of the malicious artifacts would haveshown that they were not builtas expected or from the expected sourcerepo. H Trick consumer into usingbad package Browserify typosquatting: Attacker uploaded a malicious packagewith a similarnameas the original. SLSA does not directly address this threat,but provenance linkingback to sourcecontrol can enable and enhance other solutions.
  • 34. SLSA URL: https://security.googleblog.com/2021/06/introducing-slsa-end-to-end-framework.html SLSA is a practical framework for end-to-end software supply chain integrity, based on a model proven to work at scale in one of the world’s largest software engineering organizations. Achieving the highest level of SLSA for most projects may be difficult, but incremental improvements recognized by lower SLSA levels will already go a long way toward improving the security of the open-source ecosystem. Thanks to Patrick Mathieu, Sr. Manager, Offensive Security @ LogMeIn
  • 35. Additional Security-Related ”Don’t Say You Were Not Warned...” • 80% of companies that pay a Ransomeware ransom are exploited again - with about 1/2 of them believing it was the same group in the subsequent attack. Is that enough proof that paying a ransom is not a good strategy? If your security controls weren't good enough to stop the ransomware, they definitely aren't good enough to detect a root kit - https://www.zdnet.com/article/most-firms-face-second- ransomware-attack-after-paying-off-first/#ftag=RSSbaffb68 Thanks to Michael Fischer, Sr. Manager, Product Security @ LogMeIn
  • 36. 7 Cybersecurity Breaches In 2020 & How They Could Have Been Prevented 1. Solarwinds: Third Party Infiltration (covered above) 2. Portnox: Network Penetration 3. Pulse Secure: VPN Vulnerabilities 4. Marriot: Fraudulent Login from Stolen Details 5. Cisco: Disgruntled Former Employee 6. University of California: Ransomware 7. UN Maritime Agency: Possible Watering Hole Attack URL: https://cyolo.io/blog/7-data-cybersecurity-breaches-in-2020-how-they- could-have-been-prevented/
  • 37. And Last, But Not Least – Shirbit Insurance Israel Shaken By Data Leak After Ransomware Attack At ‘Shirbit Insurance’ Company: • Hackers leak screenshot of negotiationwith breached insurance giant • Israeli government reportedly reconsidering relationship withinsurance firm following security breach A hacking gang calling itself Black Shadow has demandeda giant insurance firm pay a US $3.8 millionransom after encrypting and stealing sensitive dataand documentsabout its clients. Customers of the victim, Israel’s Shirbit insurance company, havebeen advised to consider obtainingnew identitycards and driving licenses due to the risk of identitytheft after the hackers released a third wave of stolen data this past weekend. Leaked data has includedscans of identitycards, marriage certificates, and financialand medical documents. URL: https://hotforsecurity.bitdefender.com/blog/israel-shaken-by-data-leak-after-ransomware-attack-at- shirbit-insurance-company-24786.html
  • 38. Q&A Thank You ! Tzahi Arabov, Elite Security Champion @ LogMeIn arabov@outlook.com https://www.linkedin.com/in/arabov
  • 40. The SolarWinds Compromise On Dec. 13, the cyber community became aware of one of the mostsignificant cybersecurity events of our time, impacting both commercial and government organizations around the world. The event was a supply chain attack on SolarWinds OrionⓇ software conducted by suspected nation-state operators (discovered by FireEye): • SolarWinds has mentioned that a vulnerability which existed until the March-June 2020 timeframe, was leveraged to take advantageof their 'Orion' software product • Evidence existand shows the attackers’ ‘Command and Control’(C2) infrastructure was set up as early as August 2019. The first modified SolarWinds software was released in October 2019, and the earliest related Cobalt Strike identified payload was generated using Cobalt Strike 4.0, which was built in December 2019 More On NMS • Even when NMS are configured to only monitor (read-only), the credentials used would still offer some level of access to an attacker (read configurations, list processes etc.) • In a situation that an attacker compromises NMS, he could usually reshape network traffic for man-in-the-middle (MitM) / person-in-the-middle / monkey-in-the-middle opportunities and might then use credentials for system monitoring, to laterally move to target systems (if the Orion NMS agent is domain-joined, other service accounts that exist there might allow an attacker to leverage and laterally move within the environment)
  • 41. The SolarWinds Attack Framework– Delayed Execution • The ‘SUNBURST' malware checks the filesystem timestamps to ensure that the product has been deployed for a dormant period of 12-14 days prior to the current time, before it sends its first beacon: • The sample would only execute if the filesystem write time of the assemblyis at least 12-14 days prior to the current time (the exact threshold is selected randomly from an interval) • The sample continues to check the time threshold, as it is run by a legitimate recurring background task • Once the threshold is met, the sample creates a ‘named pipe’ to act as a guard that only one instance is running before reading the specific file 'SolarWinds.Orion.Core.BusinessLayer.dll.config'from disk and retrieving the XML field 'appSettings’ • The 'appSettings' field's keys are legitimate values that the malicious logic re-purposes as a persistent configuration • The key 'ReportWatcherRetry' mustbe any value other than ‘3’, for the sample to continue execution This delayed execution maliciously and effectively prevents the counter-measure usage of malware sandboxes and other instrumented environments to detect it – in this case, even if a staging environment would have been used to test out the infected update prior to its deployment to make certain malicious activities are avoided, it would leave the sandbox environment and be rolled out within much less than 12 days (within 18,000 customers).
  • 42. The SolarWinds Attack Framework– Anti-Sandbox Behavior According to FireEye, unless the infected device is joined to a domain, the malware will not execute: • The sample checks that the machine is domain-joined then retrieves the domain name before execution continues • A 'userID' is generated by computing the MD5 of all network interface MAC addresses that are up and not loopback devices, the domain name, and the registry value 'HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyMachineGuid’ • The 'userID' is encoded via a custom XOR scheme after the MD5 is calculated • The 'ReportWatcherPostpone' key of 'appSettings' is then read from ‘SolarWinds.Orion.Core.BusinessLayer.dll.config'to retrieve the initial, legitimate value • This operation is performed as the sample later bit packs flags into this field and the initial value must be known in order to read out the bit flags • The sample then invokes the method 'Update', which is the core event loop of the sample
  • 43. The SolarWinds Attack Framework – VMware: The ‘National Security Agency’ (NSA) released an advisory about CVE- 2020-4006: A command injection vulnerability, stating that Russian state-sponsored actors were actively exploiting the vulnerability and suggesting US Government agencies patch immediately. This vulnerability exists in five VMware software products focused on identity and access management. Exploitation allows attackers to deploy a ‘web shell’ on the system and gain access to protected data. This vulnerability can only be exploited by someone who has already authenticated to the system and indicates that when leveraged, it likely is used to gain additional access once the attacker is already inside the networks. More information about CVE-2020-4006 can be found in our previously released Threat Brief: VMware Command Injection Vulnerability
  • 44. The SolarWinds Attack Framework - Microsoft / SAML: Microsoft has published multiple reports on activity related to this attack campaign, including a summary of the backdoor implanted into SolarWinds OrionⓇ (referred to by Microsoft as ‘Solorigate’),as well as guidance for their customers on protecting themselves. They have publicly statedthey are working with more than 40 companies who have been targeted in this attack • One specific component of the attackthat Microsoft has discussed in detail is what they have observed in compromised networks with regard to identity infrastructure. Specifically,the attackers have exfiltrated SAML token signing certificates, that allow them to forge tokens and access any resources trustedby those certificates. Microsoft has observed these forged tokens presented to the Microsoft cloud on behalf of their customers • The impact of a compromise of these certificatesimplies the attacker gained the highest level of privileges inside the network and used them to establish long-term access to the network
  • 45. The SolarWinds Attack Framework - SUPERNOVA Web Shell: FireEye’s initial report on the SolarWinds compromise included indicators for a ‘web shell’ they call SUPERNOVA. FireEye has removed those indicators as they no longer believe they were used as a result of the SolarWinds software compromise. This ‘web shell’ may not be related, but it is still vital to defend against it The SolarWinds Attack Framework - MFA Bypass: The SAML token-forging attack described above would allow an attacker to evade multi-factor authentication systems, as in that case, the authentication system itself is compromised. Volexity published a report about a threat group named Dark Halo who they have now connectedto the SolarWinds compromise. Their report describes that the attacker targeted the “integration secret key” used to connect Cisco’s Duo Multi-Factor Authentication (MFA) solution to an Outlook Web Access server. With that key, they were able to pre-computethe token codes necessary for authentication Similar to the SAML token-forging attack, this MFA bypass requires a significant compromise of the systems used to authenticate users and would have been performed post-compromiseto extend the attacker’s access to the network
  • 46. Open Source Code Attacks - Official PHP Server Targeted: On the PHP Git server, an attacker group has managed to gain access and has added malicious code that caused that any PHP server with a specific version number and onwards, with the "zerodium" word, will run the malicious code that follows. Basically, the code checked if the HTTP request included the header "HTTP_USER_AGENT" and began with the word "zerodium". If so, it would inject the rest of the string as PHP code. Eventually, the malicious code was discovered by an occasion and was removed. However, in the eyes of infosec teams, such a code might seem normal, but the fact that the malicious code or a part of it was removed, does not mean a full-scale attack was over. We cannot assume that other programming languages were not affected as well. Attackers never stop once their attack was stopped.
  • 47. Additional Past Supply Chain Attacks • September 2015 – XcodeGhost: An attacker distributed a version ofApple’s Xcode software (used to build iOS and macOS applications),which injected additional code into iOSapps built usingit.This attackresulted in thousands ofcompromised apps identified in Apple’s app store • March 2016 – KeRanger: Popularopen source BitTorrent client,Transmission,was compromised to include macOSransomware in its installer.Attackers compromised the legitimate servers used to distribute Transmission,so users who downloaded and installed the programwould be infected with malware that held their files for ransom • June 2017 – NotPetya: Attackers compromised a Ukrainian software companyand distributed a destructive payloadwith network- worm capabilities through an update to the “MeDoc” financial software.After infectingsystems usingthe software, the malware spread to other hosts in the network and caused a worldwide disruption affectingmanyorganizations • September 2017 – CCleaner: Attackers compromised Avast’s CCleanertool,used bymillions to help keep their PC working properly.The compromise was used to target large technologyand telecommunications companies worldwide with a second-stage payload • In September 2019, attackers again likelytargeted Avast’s CCleaner tool after gainingaccess to Avast’s networkthrough a temporaryVPN profile.It is not clear whether or not,the same operators from 2017 were involved in this incident In each case, includingthe recent SolarWinds compromise, rather than targetingan organizationdirectlythrough phishingor exploitation ofvulnerabilities,the attackers chose to compromise software developers directlyand use the trust we place in them to access other networks.This can effectivelyevade certain prevention and detectioncontrols that have been tuned to trust well-known programs This pattern ofsoftware supplychain compromises will continue,and securityteams can not afford to ignore them. Protecting against these attacks is not simple for anyenterprise, and those who are responsible for writingand deployingsoftware need to take responsibilityforthe integrityofthat code