This document discusses supply chain attacks and provides examples of recent attacks. It defines supply chain attacks as compromising enterprise networks via third party applications or entities. The document then summarizes the anatomy and timeline of the Kaseya and 3CX ransomware attacks. In the Kaseya attack, a malicious task was deployed to VSA servers which then pushed ransomware downstream. The 3CX attack involved a trojanized software update that bundled a malicious DLL leading to data theft. Finally, the document outlines defenses such as software inventory, access controls, and secure development practices to help prevent supply chain attacks.
3. Agenda
3
What are Supply Chain Attacks
Attack Vectors
In The News
Anatomy of an Attack
Defending against SCA
4. What are Supply Chain Attack
4
• Value chain attack / 3rd party attack
• Compromise of enterprise networks -> via applications, 3rd part entities
• Executed by APT groups
• Who is the target?
5. Attack vectors
5
• Third party software providers
• Data storage solutions
• Development or testing platforms
• Website services
• Repositories
7. Anatomy of an Attack – Kaseya Ransomware
7
• Happened on July 2 2021
• Kaseya VSA servers were exploited to deploy
ransomware downstream to users
• Kaseya VSA Agent Hot-Fix <- Malicious task
• Ransomware encryptor pushed agent.crt →
agent.exe
• Used DLL sideloading against Windows Defender
-> Revil -> Registry Key
• Were timed to encrypt at 1630 UTC
• Around 60 customers and 1500+ businesses
11. Anatomy of an Attack – 3CX
11
• 3CX systems were infected with TaxHaul
malware on Windows and SimpleSea on
MacOS
• Used Fast Reverse Proxy to move
laterally
13. Anatomy of an Attack – 3CX
13
• Initial Response
• Determine scope of exploited installs
• Hunt for the IOCs – Connections to the domains
and Hashes
• Hunt for child processes of the Desktop App
• Hunt for suspicious loading of the DLL files
15. Defending Against SCA
15
• Have security guidelines for suppliers
• Vulnerability management system
• Good software inventory
• Enforce change control
• Restricted access rights / controls
• Identify alternatives / failover processes
• Well defined SDLC and secure coding practices
• Protect code and repositories