What is Supply Chain?
A supply chain is a network between a company and its
suppliers to produce and distribute a speciﬁc product/service
to the ﬁnal buyer/client/customer. This network includes
different activities, people, entities, information, and
resources. The supply chain also represents the steps it takes
to get the product or service from its original state to the
What is Supply Chain Attack?
A supply chain attack is a cyberattack that attempts to inﬂict
damage to a company by exploiting vulnerabilities in its supply
chain network. A supply chain attack entails continuous
network hacking or inﬁltration processes to gain access to an
organization’s network. More than 60% of cyberattacks
originate from the supply chain or from external parties
exploiting security vulnerabilities within the supply chain.
And Then This Happened !
THE BOOMING BUSINESS MODEL
The big scale economies is what making the supply chain
attack ever increasing. Past few years we have seen massive
data breaches that have ﬂooded black market which consists
personal identiﬁcation information, Credit card credentials,
bank credentials.The attack pattern against this data sources
are operated like business and like any other business they try
to remain aﬂoat as long as possible with low operational cost
and high ROI.
THE PATH OF MIN RESISTANCE
Supply chain attacks are more popular into modern attackers
as they are a easy way in to soft targets which in return gives
easy access to their customers ie, the targets which allows
install malwares, attacking trusted applications. Third party
contractors and suppliers provides stealthy gateway to
THE COMPLEXITY OF DETECTION
The supply chain attacks are very hard to detect as most
attacks installs backdoor into legitimate software/ﬁrmware,
they are rarely detected by the IDS/IPS deployed into the
organizations. Moreover the vendors are usually allowed to
connect into networks without any proper checking for
Operation at a glance
TARGET: ELEPHANT (BD HQ).
TASK: Compromise ELEPHANT internal network.
DEAL: Red Teaming.
CORE: DC, VPN, Central DataBase, Employee Data, etc
PLAN: Takeover CORE of ELEPHANT.
HAWK: ELEPHANT's global supplier/vendor.
HAWK has access to ELEPHANT's CORE.
Team Deployment plan for RT-OPS
Alpha Team: Operating from the external/online network.
Bravo Team: Operating from guest wiﬁ network on-premise from the
Day 1 to 3
● Understanding how ELEPHANT functions day to day, end to end.
● Recon DNS
● Identiﬁcation of external/internal IDS-IPS
● Identiﬁcation of Live Assets
Sending specially crafted packets to identify bad responses which
may lead to code execution or sensitive information leak, etc
Vulnerabilities exists but nothing goes to CORE
Accessed many assets but CORE is still far from us.
Suddenly a new machine in the network connected,
who is not a regular member as we see. This might
be a HAWK (Vendor) member.
Hmmmm interesting!!! and it's vulnerable.
Day 8: Exploited a Non-Paged Pool Overﬂow in SRV Driver [HAWK]
Day 8: Returned a reverse shell & download sensitive ﬁles [HAWK]
Day 8: Dumped Credentials from browsers [HAWK]
Day 9: Login to an application using dumped credentials [ELEPHANT]
Day 9: Exploiting the application and deploy a foot-hold [ELEPHANT]
Day 9: Dumped windows servers login credentials [ELEPHANT]
Day 10: Passing the hash throughout the network [ELEPHANT]
Native Windows applications ask users for the cleartext password, then call APIs like
“LsaLogonUser” that convert that password to one or two hash values (the LM or NT
hashes) and then send that to the remote server during NTLM authentication.
Cleartext password is not required to complete network authentication successfully,
only the hashes are needed. So we can authenticate with only NT hash.
Day 10: Successfully login to DC and CORE services [ELEPHANT]
● Where did you manage the guest wiﬁ password?
● Why the vendor did not get any alert while you exploited them?
● How you determined that your ﬁndings are related to the Elephant?
● Why IDS/IPS/Endpoint security didn't generate any alert?
● Why ﬁrewall failed to protect the assets and allowed all the malicious
● Why Elephant's Global SOC failed to ﬂag the attack?
● Did you manage to break their physical security?
● Did you manage to break into the vendor’s network?
● Assess and understand your supplier network
● Know the risks associated with your third-party
partners and suppliers
● Include the supply chain in your response and
Follow best security practices, monitor vendor access to
internal data and networks, establish boundaries and adhere
to these boundaries strictly. Log and monitor any external
vendor access, be knowledgeable of third-party providers’
incident response and disaster recovery plans. Moreover,
decrease your attack surface by limiting users’ ability to install
unauthorized third party software on machines.