Successfully reported this slideshow.

Supply Chain Attack Backdooring Your Networks



Upcoming SlideShare
Application security
Application security
Loading in …3
1 of 40
1 of 40

More Related Content

More from Bangladesh Network Operators Group

Related Books

Free with a 14 day trial from Scribd

See all

Supply Chain Attack Backdooring Your Networks

  1. 1. Supply Chain Attack Backdooring Your Networks
  2. 2. SHAHEE MIRZA -Head of Security Operations @ BEETLES -Security Researcher -Red Teamer -Twitter: @shaheemirza
  3. 3. Well.....
  4. 4. What is Supply Chain? A supply chain is a network between a company and its suppliers to produce and distribute a specific product/service to the final buyer/client/customer. This network includes different activities, people, entities, information, and resources. The supply chain also represents the steps it takes to get the product or service from its original state to the buyer/client/customer.
  5. 5. What is Supply Chain Attack? A supply chain attack is a cyberattack that attempts to inflict damage to a company by exploiting vulnerabilities in its supply chain network. A supply chain attack entails continuous network hacking or infiltration processes to gain access to an organization’s network. More than 60% of cyberattacks originate from the supply chain or from external parties exploiting security vulnerabilities within the supply chain.
  6. 6. And Then This Happened ! NordVPN AVAST ASUS INTEL VMWARE CamScanner Kingslayer CloudHopper CCleaner ShadowPad PyPi M.E.Doc .....
  7. 7. Even it was happened before digital era
  8. 8. Supply Chain Attack examples
  9. 9. Third party software providers
  10. 10. Third party data stores
  12. 12. THE BOOMING BUSINESS MODEL The big scale economies is what making the supply chain attack ever increasing. Past few years we have seen massive data breaches that have flooded black market which consists personal identification information, Credit card credentials, bank credentials.The attack pattern against this data sources are operated like business and like any other business they try to remain afloat as long as possible with low operational cost and high ROI.
  13. 13. THE PATH OF MIN RESISTANCE Supply chain attacks are more popular into modern attackers as they are a easy way in to soft targets which in return gives easy access to their customers ie, the targets which allows install malwares, attacking trusted applications. Third party contractors and suppliers provides stealthy gateway to hard-to-reach targets.
  14. 14. THE COMPLEXITY OF DETECTION The supply chain attacks are very hard to detect as most attacks installs backdoor into legitimate software/firmware, they are rarely detected by the IDS/IPS deployed into the organizations. Moreover the vendors are usually allowed to connect into networks without any proper checking for threats.
  15. 15. CASE STUDY
  16. 16. BEETLES takeover an ELEPHANT by SCA
  17. 17. Operation at a glance TARGET: ELEPHANT (BD HQ). TASK: Compromise ELEPHANT internal network. DEAL: Red Teaming. CORE: DC, VPN, Central DataBase, Employee Data, etc PLAN: Takeover CORE of ELEPHANT. HAWK: ELEPHANT's global supplier/vendor. HAWK has access to ELEPHANT's CORE.
  18. 18. Team Deployment plan for RT-OPS Alpha Team: Operating from the external/online network. Bravo Team: Operating from guest wifi network on-premise from the cafeteria.
  19. 19. Day 1 to 3 Intelligence gathering: ● Understanding how ELEPHANT functions day to day, end to end. ● Recon DNS ● Identification of external/internal IDS-IPS ● Identification of Live Assets
  20. 20. Day 4-6 Vulnerability Analysis: Sending specially crafted packets to identify bad responses which may lead to code execution or sensitive information leak, etc
  21. 21. Day 7 Vulnerabilities exists but nothing goes to CORE Accessed many assets but CORE is still far from us.
  22. 22. Day 8 Suddenly a new machine in the network connected, who is not a regular member as we see. This might be a HAWK (Vendor) member. Hmmmm interesting!!! and it's vulnerable.
  23. 23. Day 8: Exploited a Non-Paged Pool Overflow in SRV Driver [HAWK]
  24. 24. Day 8: Returned a reverse shell & download sensitive files [HAWK]
  25. 25. Day 8: Dumped Credentials from browsers [HAWK]
  26. 26. Day 9: Login to an application using dumped credentials [ELEPHANT]
  27. 27. Day 9: Exploiting the application and deploy a foot-hold [ELEPHANT]
  28. 28. Day 9: Dumped windows servers login credentials [ELEPHANT]
  29. 29. Day 10: Passing the hash throughout the network [ELEPHANT] Native Windows applications ask users for the cleartext password, then call APIs like “LsaLogonUser” that convert that password to one or two hash values (the LM or NT hashes) and then send that to the remote server during NTLM authentication. Cleartext password is not required to complete network authentication successfully, only the hashes are needed. So we can authenticate with only NT hash.
  30. 30. Day 10: Successfully login to DC and CORE services [ELEPHANT]
  31. 31. FAQ ● Where did you manage the guest wifi password? ● Why the vendor did not get any alert while you exploited them? ● How you determined that your findings are related to the Elephant? ● Why IDS/IPS/Endpoint security didn't generate any alert? ● Why firewall failed to protect the assets and allowed all the malicious requests? ● Why Elephant's Global SOC failed to flag the attack? ● Did you manage to break their physical security? ● Did you manage to break into the vendor’s network?
  32. 32. Mitigating Risk of SCA
  33. 33. ● Assess and understand your supplier network ● Know the risks associated with your third-party partners and suppliers ● Include the supply chain in your response and remediation plan
  34. 34. Suggestions Follow best security practices, monitor vendor access to internal data and networks, establish boundaries and adhere to these boundaries strictly. Log and monitor any external vendor access, be knowledgeable of third-party providers’ incident response and disaster recovery plans. Moreover, decrease your attack surface by limiting users’ ability to install unauthorized third party software on machines.
  35. 35. Credits:
  36. 36. THANKS