This document discusses software supply chain attacks in 2018 and compares predictions to reality. It describes incidents involving compromised updates to the MediaGet torrent application, a PDF editor app, and a remote support solutions provider. These attacks show how supply chains can be exploited at multiple levels, from compromising a software vendor to compromising another vendor that the first vendor relies on. The document also discusses attacks on Linux repositories, WordPress plugins, NPM modules, and Docker images. It concludes that software supply chain attacks remain a trend, have expanded beyond binaries to cloud environments, and are now used by cybercriminals in addition to nation-states. Detection across diverse software supply chains remains a challenge.

1. Software Supply Chain attacks in
2018: predictions vs reality
Elia Florio – Windows Defender ATP Research

2. #supplychain
WHAT THIS SESSION IS ABOUT

3. → Past/Present/Future of Software Supply Chain attacks
→ A look at recent Software Supply Chain incidents discovered in
2018 by Windows Defender ATP Research team
→ New trends and variations in Software Supply Chain attacks
WHAT THIS SESSION IS ABOUT

4. SOFTWARE SUPPLY CHAIN INCIDENTS
(<2017)
Source: https://www.rsaconference.com/events/us18/agenda/sessions/10149-the-unexpected-attack-vector-software-updaters
1
0
2
4
2
4
7
2011 2012 2013 2014 2015 2016 2017
Software Supply Chain incidents on Windows and Mac systems

5. SOFTWARE SUPPLY CHAIN INCIDENTS
(<2017)
Period Software Affected Incident
Jul 2011 ESTsoft ALZip “SK Communications” data breach in South Korea (src: Command Five Pty)
Jun 2013 SimDisk, Songsari Incidents affecting Government and News website in South Korea (src: TrendMicro)
Jun 2013
Apr 2014
Three <undisclosed> ICS
Vendors
(Industrial Control System)
“DragonFly” campaign targeting energy sector and ICS industry (src: Symantec)
Jan 2014 GOM Player Incident at Monju reactor facility in Japan (src: Contextis)
Jan 2015 League of Legends (LoL)
Path of Exile (PoE)
PlugX malware found in two popular videogames in Asia (src: TrendMicro)
Apr 2015 EvLog 3.0 (EventID) Operation “Kingslayer” targeting popular sysadmin software in Fortune500 (src: RSA)
Oct 2016
Mar 2017
Ask Partner Network (APN) ASK distribution network compromised to deliver malware (src: CarbonBlack)
Nov 2016 <undisclosed> ATM software ATM software installation package compromised with malicious script (src: Microsoft)
May 2017 <undisclosed> Text Editor Operation “WilySupply” targeting financial sector and IT companies (src: Microsoft)
Jun 2017 M.e. Doc Popular tax software used as distribution vector for PETYA (src: Kaspersky & Microsoft)
Jul 2017 NetSarang XShell Operation “ShadowPad”: compromised server tools for devs/sysadmins (src: Kaspersky)
Sep 2017 CCleaner Popular freeware tool backdoored to compromise IT companies (src: Cisco Talos & Morphisec)

6. PREDICTIONS (2018)

7. RECENT SOFTWARE SUPPLY CHAIN
INCIDENTS IN 2018
Mar 2018
• MediaGet
Jul 2018
• PDF Editor
App
Aug 2018
• 9002 RAT

8. POISONED MEDIAGET INCIDENT

9. POISONED MEDIAGET INCIDENT
400K+

10. POISONED MEDIAGET INCIDENT

11. POISONED MEDIAGET INCIDENT
→ In March, a popular torrent application
(MediaGet) started to distribute a
backdoored update through the regular
update mechanism for unknown reasons
→ The backdoored binary was also signed,
but by an unrelated software developer
company in Mexico
→ This campaign ended up installing Dofoil
trojan and a Coin Miner automatically on
thousands of machines using MediaGet
update
→ Attackers had probably access to source
and building infrastructure of MediaGet in
order to rebuild a trojanized version
Source: https://cloudblogs.microsoft.com/microsoftsecure/2018/03/13/poisoned-peer-to-peer-app-kicked-off-dofoil-coin-miner-outbreak/

12. POISONED MEDIAGET INCIDENT
→ Signature validation is bypassed using just another
cert (stolen from another dev company)
→ New recompiled MediaGet build includes a special
“RUN” command

13. POISONED MEDIAGET INCIDENT

14. ATTACK INCEPTION:
SUPPLY CHAIN OF SUPPLY CHAIN

15. ATTACK INCEPTION:
SUPPLY CHAIN OF SUPPLY CHAIN

16. ATTACK INCEPTION:
SUPPLY CHAIN OF SUPPLY CHAIN

17. ATTACK INCEPTION:
SUPPLY CHAIN OF SUPPLY CHAIN
→ Between January and March, Windows
Defender ATP detected certain machines
compromised by the same type of
CoinMiner
→ Hunting down the root cause of these
unrelated incidents, a common MSI font
package was found to be the installation
vector of the CoinMiner
→ The MSI package was downloaded and
installed by a legitimate PDF editor
application
→ The PDF editor software company was
unaware that the MSI package, produced
by another vendor, was compromised
Source: https://cloudblogs.microsoft.com/microsoftsecure/2018/07/26/attack-inception-compromised-supply-chain-within-a-supply-chain-poses-new-risks/

18. ATTACK INCEPTION:
SUPPLY CHAIN OF SUPPLY CHAIN

19. ATTACK INCEPTION:
SUPPLY CHAIN OF SUPPLY CHAIN
Source: https://published-prd.lanyonevents.com/published/rsaap15.6381_ap18/sessionsFiles/4435/FLE-R08_FLE-R08_Exploit_Kits_and_Malware_ROI.pdf (Lior Ben-Porat)

20. “9002 RAT” CASE
→ “The threat actors compromised the
update server of a remote support
solutions provider to deliver a remote
access tool called 9002 RAT to their
targets of interest through the update
process.”
→ “The code-signing certificate from the
remote support solutions provider is
stolen. It’s possible that the certificate was
stolen as early as April 2018”
→ “Malicious update files are prepared,
signed with the stolen certificate, and
uploaded to the attacker’s server
(207[.]148[.]94[.]157).”
Source: https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/

21. JUST A PROBLEM OF TRADITIONAL
SOFTWARE (COMPILED BINARIES)?

22. TRUST COMPLEXITIES IN CLOUD WORLD
Enterprise
Org
Hardware and
Software
Suppliers
Open Source
Software
Suppliers
Cloud Services
and
Infrastructure
Suppliers
Vendors and
Acquisitions

23. POISONED CHROME EXTENSION UPDATE #1
(APR, 2018)
Source: https://www.icebrg.io/blog/more-extensions-more-money-more-problems

24. POISONED CHROME EXTENSION UPDATE #2
(SEP, 2018)
Source: https://mega.nz/blog_47

25. LINUX REPOSITORIES (GENTOO/ARCH)
UNDER ATTACK (JUN/JUL 2018)

26. TROJANIZED WORDPRESS PLUGINS
(JAN, 2018)
Source: https://www.wordfence.com/blog/2018/01/wordpress-supply-chain-attacks/

27. BACKDOORED NPM MODULES
ESLINT AND GETCOOKIES (MAY/JUL, 2018)
Source: https://www.wordfence.com/blog/2018/01/wordpress-supply-chain-attacks/

28. COMPROMISED DOCKER IMAGES
ON DOCKER HUB (JUN, 2018)
→ A malicious Docker Hub account
uploaded 14 Docker images with a
hidden CoinMiner backdoor
→ The backdoored Docker images were
downloaded almost 5M times by
innocent administrators and used
→ The malicious script hidden in the
packages may continue to run on cloud
servers even after users deleted the
Docker images
→ Attacker operating almost for 1 year
before any action
Source: [1] https://www.fortinet.com/blog/threat-research/yet-another-crypto-mining-botnet.html
[2] https://kromtech.com/blog/security-center/cryptojacking-invades-cloud-how-modern-containerization-trend-is-exploited-by-attackers

29. TRUST

30. CONCLUSIONS
→ Software Supply Chain are still trending in 2018
→ High-degree of variations across cloud perimeter, not just binary code
→ No longer a technique just for nation-state attackers (cybercriminals and coinminers joining the club)
→ “Code Execution” for cloud attackers is a broader concept; attacks may arrive from unexpected entry
vectors
→ DevOps accounts and machines are the weakest link
→ Well-defined trust models for software binaries are not yet replicated for code in the cloud, open source,
web libraries, containers:
→ e.g. New business models emerge: https://nodesource.com/products/certified-modules
→ Detection of Software Supply Chain across the entire spectrum is still difficult; current detections are
happening post-breach (EDR & DFIR)

31. Thank you