1. Supply Chain Attack
Backdooring Your Networks

2. SHAHEE MIRZA
-Head of Security Operations @ BEETLES
-Security Researcher
-Red Teamer
-Twitter: @shaheemirza

4. Well.....

5. What is Supply Chain?
A supply chain is a network between a company and its
suppliers to produce and distribute a specific product/service
to the final buyer/client/customer. This network includes
different activities, people, entities, information, and
resources. The supply chain also represents the steps it takes
to get the product or service from its original state to the
buyer/client/customer.

6. What is Supply Chain Attack?
A supply chain attack is a cyberattack that attempts to inflict
damage to a company by exploiting vulnerabilities in its supply
chain network. A supply chain attack entails continuous
network hacking or infiltration processes to gain access to an
organization’s network. More than 60% of cyberattacks
originate from the supply chain or from external parties
exploiting security vulnerabilities within the supply chain.

8. And Then This Happened !
NordVPN
AVAST
ASUS
INTEL
VMWARE
CamScanner
Kingslayer
CloudHopper
CCleaner
ShadowPad
PyPi
M.E.Doc
.....

9. Even it was happened before digital era

10. Supply Chain Attack examples

11. Third party software providers

12. Third party data stores

13. WHY SCAs ARE INCREASING

14. THE BOOMING BUSINESS MODEL
The big scale economies is what making the supply chain
attack ever increasing. Past few years we have seen massive
data breaches that have flooded black market which consists
personal identification information, Credit card credentials,
bank credentials.The attack pattern against this data sources
are operated like business and like any other business they try
to remain afloat as long as possible with low operational cost
and high ROI.

15. THE PATH OF MIN RESISTANCE
Supply chain attacks are more popular into modern attackers
as they are a easy way in to soft targets which in return gives
easy access to their customers ie, the targets which allows
install malwares, attacking trusted applications. Third party
contractors and suppliers provides stealthy gateway to
hard-to-reach targets.

16. THE COMPLEXITY OF DETECTION
The supply chain attacks are very hard to detect as most
attacks installs backdoor into legitimate software/firmware,
they are rarely detected by the IDS/IPS deployed into the
organizations. Moreover the vendors are usually allowed to
connect into networks without any proper checking for
threats.

17. CASE STUDY

18. BEETLES takeover an ELEPHANT by SCA

19. Operation at a glance
TARGET: ELEPHANT (BD HQ).
TASK: Compromise ELEPHANT internal network.
DEAL: Red Teaming.
CORE: DC, VPN, Central DataBase, Employee Data, etc
PLAN: Takeover CORE of ELEPHANT.
HAWK: ELEPHANT's global supplier/vendor.
HAWK has access to ELEPHANT's CORE.

20. Team Deployment plan for RT-OPS
Alpha Team: Operating from the external/online network.
Bravo Team: Operating from guest wifi network on-premise from the
cafeteria.

21. Day 1 to 3
Intelligence gathering:
● Understanding how ELEPHANT functions day to day, end to end.
● Recon DNS
● Identification of external/internal IDS-IPS
● Identification of Live Assets

22. Day 4-6
Vulnerability Analysis:
Sending specially crafted packets to identify bad responses which
may lead to code execution or sensitive information leak, etc

23. Day 7
Vulnerabilities exists but nothing goes to CORE
Accessed many assets but CORE is still far from us.

24. Day 8
Suddenly a new machine in the network connected,
who is not a regular member as we see. This might
be a HAWK (Vendor) member.
Hmmmm interesting!!! and it's vulnerable.

25. Day 8: Exploited a Non-Paged Pool Overflow in SRV Driver [HAWK]

26. Day 8: Returned a reverse shell & download sensitive files [HAWK]

27. Day 8: Dumped Credentials from browsers [HAWK]

29. Day 9: Login to an application using dumped credentials [ELEPHANT]

30. Day 9: Exploiting the application and deploy a foot-hold [ELEPHANT]

31. Day 9: Dumped windows servers login credentials [ELEPHANT]

32. Day 10: Passing the hash throughout the network [ELEPHANT]
Native Windows applications ask users for the cleartext password, then call APIs like
“LsaLogonUser” that convert that password to one or two hash values (the LM or NT
hashes) and then send that to the remote server during NTLM authentication.
Cleartext password is not required to complete network authentication successfully,
only the hashes are needed. So we can authenticate with only NT hash.

33. Day 10: Successfully login to DC and CORE services [ELEPHANT]

35. FAQ
● Where did you manage the guest wifi password?
● Why the vendor did not get any alert while you exploited them?
● How you determined that your findings are related to the Elephant?
● Why IDS/IPS/Endpoint security didn't generate any alert?
● Why firewall failed to protect the assets and allowed all the malicious
requests?
● Why Elephant's Global SOC failed to flag the attack?
● Did you manage to break their physical security?
● Did you manage to break into the vendor’s network?

36. Mitigating Risk of SCA

37. ● Assess and understand your supplier network
● Know the risks associated with your third-party
partners and suppliers
● Include the supply chain in your response and
remediation plan

38. Suggestions
Follow best security practices, monitor vendor access to
internal data and networks, establish boundaries and adhere
to these boundaries strictly. Log and monitor any external
vendor access, be knowledgeable of third-party providers’
incident response and disaster recovery plans. Moreover,
decrease your attack surface by limiting users’ ability to install
unauthorized third party software on machines.

39. Credits:

40. THANKS