Whilst the world is suffering from cyber-attacks, a trend of a large-scale massacre is taking the world by storm. This year in March, the invasion against Asus, one of the largest computer and phone hardware manufacturers, hit the headlines of worldwide media. This event becomes one of most tremendous supply chain attack in the history and reveals the enormous threats hidden in the supply chain system nowadays.
In essence, the problem of supply chain attack resides in the trust of end users to their suppliers. By granting an update request (or sometimes unconsciously), some malware will be downloaded and implanted in the end user's device. Furthermore, digital certificate, the token of authenticity, is often exploited. Such violation of trust system makes supply chain attacks almost impossible to defend.
We have been tracking several serious Supply-Chain attacks for years, especially those attacks in Korea, Japan and Taiwan. In the first part of speech, we are going to disclose details of these incidents, including Winter Olympics, EmEditor, Garena (online game), CCleaner, Asus, etc., with their root cause and lessons learned. Many of the cases were investigated directly or assisted by the analysts of TeamT5. In the second part of speech, we will try to find those blind spots in cyber defense, and share a strategy to effectively shield from supply-chain attacks.
[CB19] Resistance is FutileThe Undefendable Supply-Chain Attack by Sung-Ting Tsai , Linda Kuo
1. Resistance is Futile
The Undefendable Supply-Chain Attack
Oct 2019
Tsai Sung-ting (TT)
Linda Kuo
Code Blue, Tokyo, 2019
2. The Speakers
蔡松廷 Tsai, Sung-ting (TT)
u Founder and CEO, TeamT5
u 18+ years in security industry and hacker community
u Co-founder / chief director, HITCON
u Adviser, several Taiwanese government agencies.
Linda Kuo
u Cyber Threat Analyst, TeamT5
u Cyber Espionage Campaign Tracking Focus
u Underground Market Experience
2
3. 3
TeamT5 Profile
60+ Clients in Asia Pacific
u MSSP (90+% in Taiwan)
u Government agencies
u Telecom / ISP
u Leading CTI Firms
u Accounting firms / Financial sectors
u Semiconductor / Manufacturing
u International Trading
u NGO / NPO
Taiwan
10+ Partners
Japan
2+ Partners
Start from APAC, Speak for APAC, Guardian of APAC
ASEAN
4+ Partners
5. AGENDA
Advanced Cyber Threats and Supply-Chain Attacks01
Problems and Challenges
Real Case Studies02
Could your existing solutions block these attacks?
The Blind Spot of Cyber Defense03
The solution to deal with advanced cyber threats
Turn Passive to Proactive04
Cyber Threat Intelligence
6. Taiwan and Advanced Cyber Threats
TWD $83 Millions
withdrawals
USD $60 Millions
transferred
USD $85 Millions lost
200,000+
computers infected.
ATM Heist SWIFT Attack
Virus outbreak
hits chipmaker
Laptop
live-updating
malware
2000 – present: non-stop and series of cyber espionage attacks.
In average, we could receive an incident report in every 2 weeks.
2016 20192017 2018
8. 2019.01 Taiwan
Malware
• ShadowPad
Highlight
• June 2018 – Nov/Dec 2018, Jan 2019
• Downloaded from the official ASUS Update
server
• a valid digital signature of “ASUSTeK
Computer Inc.”
ASUS
• a multinational company known for the
world’s best motherboards and personal
devices.
Incident of the Year – ASUS the victim
9. Supply Chain Attack
u A emerging threat that target software developers and suppliers with the goal
to access source codes, build processes, or update mechanisms by infecting
legitimate apps to distribute malware.
System supplier
Device supplier
App supplier
10. Serious Supply Chain Attack in TW: eClient Incident
Victims
• 7000+ central/local Government,
Schools & Hospitals
2013.05 Taiwan
Early May May.15th
NCCST
alert
Malicious update
package
downloaded
May.24th
NICST
Official
announcement
Attack Method
Malware: Firefly (Chinese malware)
eClient
Official documents exchange
system within TW public sectors
11. KMPlayer was Hacked!
2013.08 Worldwide esp. Korea
Malware: PlugX (Chinese malware)
Highlight
• A update notification for version 3.7.0.87
after execution -> fake update package
(KMP_3.7.0.87.exe)
• legitimate certificate
(valid but not from KMP)
KMPlayer
Free media player with multi-languages,
popular in Asia
12. Japan is also Targeted - EmEditor
Victims
• MOJ, JAXA, MOIT, MOA, Nagoya U, LINE
2014.09 Japan
Malware: PlugX (Chinese malware)
Highlight
• Professional’s update server
compromised. It will return malicious
update package only to specific IP
range.
• legitimate certificate
(valid but not official)
EmEditor
Powerful editor in corporations,
institutions, and governments in JP
13. Gaming Massacre - Garena
Victims
• Asia’s players
(could be more than 1m)
2014.12 Asia Malware: PlugX (Chinese malware)
Highlight
• Distributor was hacked -> update server
replaced
• Infected games: LOL, Path of Exile, FIFA
Online 3
Nov.11th
Backdoor still exist after
installation update
First infected
sample found
Dec.23rd
Garena’s
Official
statement
Dec.31st
Garena update
installation again
Dec.29th
Dec.3rd
Second player reported
Dec.21st
Third player reported
Garena
the operator League of Legends, FIFA
Online 3, Point Blank, Blade & Soul and
Arena of Valor in Asia.
14. Crashing the KR financials - Netsarang
Victims
• Samsung, LG, Financials in Korea, Energy
companies, Pharmaceutical industry
2017.07 KR, TW, HK
Malware: ShadowPad (Chinese malware)
Highlight
• Update mechanism was compromised
and a backdoor was included in the
package
• DGA algorithm for C2 location
Netsarang
A global & popular cross-platform
integration solution provider. Its
products includes Xmanager, Xshell, etc.
15. Firing at the Giants - CCleaner
2017.08 Worldwide
Malware: PlugX (Simplified Chinese)
Highlight
• Both website (v5.33.6162) and cloud
(v1.07.3197) are infected
• 2.77m victims, but only few get 2nd stage
malware
CCleaner
A PC optimization tool popular among
the world with 2B downloads
16. PyeongChang Winter Olympics Attacks
2018.02 KR
Malware: Olympic Destroyer
Highlight
On Feb. 9, the official Winter Olympics
website went down for several hours,
causing a disruption to ticket sales and
downloads during the opening ceremony.
Winter Olympics
Olympics Systems were destroyed on the
opening day.
17. OLYMPIC DESTROYER (ATOS BREACH)
https://www.cyberscoop.com/atos-olympics-hack-olympic-destroyer-malware-peyongchang/
The evidence was recently posted to
the VirusTotal repository,
but information associated with the
malware samples carries indications
that the hackers were inside Atos
systems since at least December.
Some of the earliest samples were
uploaded by unnamed VirusTotal
users geographically located in
France, where Atos is
headquartered, and Romania, where
some members of Atos’ security
team work.
18. Lesson Learned for Olympics 2020
u Air-gapped network is not the silver bullet.
u Don’t 100% trust suppliers.
u Be aware of the false flag
u Response and recovery plan
u How fast you could recover?
21. Bypass ALL Protections (CCleaner)
u Easily Been Trusted
u Valid digital signature
u Parent company: Avast (antivirus)
u Endpoint-based protection
u 2017-08-15 CCleaner compromised
u 2017-09-14 First Antivirus detection
u 2017-09-18 Less than 10 detection
u Network-based protection
u Encrypted traffic
u Payload https://github.com,
https://wordpress.com
23. The Defense on Post-Compromise Stage
Goal
Shorten the time to
discover an incident
Approach
Proactively
Threat Hunting
Mindset
Don’t trust.
Always assume it is
compromised
25. Dealing with Advanced Cyber Threats
u You need a TEAM
u Invest on people, not only software or hardware
u Your enemies are human. They are well-trained hackers. You cannot rely on
computer programs only.
u You need good security strategy to defend. Only people can make strategy.
u You need INTELLIGENCE
u Invest to understand enemies.