Adversaries are constantly changing and improving how they attack us. In this six-part series we'll explore new or advanced tactics used by threat actors to circumvent even the most cutting-edge defenses.
On June 27th, 2017, the NotPetya malware campaign initiated in Ukraine and rapidly spread around the globe. NotPetya devastated businesses of all industry verticals as it began wiping large amounts of Windows systems. Cisco’s Talos researchers found that the initial infection vector was an automatic update of M.E.Doc, a popular Ukrainian tax accounting software.
Not long after, researchers at Kaspersky Lab reported that they discovered a backdoor in recently updated versions of NetSarang software. This software is used for managing and administrating server and client machines, but malicious actors found a way to exploit it as a vector for deploying malware. Customers who installed seemingly legitimate updates during this time period instead received malicious binaries, which researchers identified as part of the ShadowPad family of malware.
These two seemingly unrelated instances have one factor in common - both are examples of a supply chain attack.
Supply chain attacks attempt to infect software or hardware from a secondary organization that is used by the primary target organization. Supply chain targeted attacks can affect all organizations using the vendor product, or they can be targeted at a single customer of the given vendor. In many cases, vendors will hold other organizations’ sensitive data that can be stolen. This data can then be used to enhance spear phishing attacks against organizations or the vendors they use.
A supply chain security program will focus on the risks associated with dealing with third party vendors and the planning of actions needed to be taken in response to an incident.
Supply chain attacks are a versatile and effective option for malicious actors. Organizations are less likely to have tighter security on their partners and connected companies - they’re the last vector one would expect an attack from.
In the case of NotPetya, M.E.Doc was targeted because their software is used in a large number of organizations both within and outside of Ukraine. MEDoc was therefore an ideal method for spreading the wiper malware which could destroy all data and operating systems. This means that the attack on Ukrainian infrastructure was not only highly-coordinated but also intended to cause as much damage as possible in as short of a time as possible.
Contrary to this, the malicious software targeting NetSarang, ShadowPad, was relatively quiet and did not present itself noticeably. It was instead discovered by an organization’s security team who picked up on unusual network activity in the background of the applications. At this point the objective of the attack is unknown.
“ShadowPad is an example of how dangerous and wide-scale a successful supply-chain attack can be. Given the opportunities for reach and data collection it gives to the attackers, most likely it will be reproduced again and again with some other widely used software component.” - Kaspersky Lab
This attack vector requires an advanced knowledge of the target’s infrastructure. While large organizations likely have several vendors in their supply chain, it is still difficult to successfully target, exploit, and then leverage the access against the primary target. This requires a high skillset to carry out successfully. There is always a risk of detection when attempting to breach these third-party vendors, which puts the entire operation at risk. A failed attack on a third-party vendor is likely to alert all organizations down the line, inevitably strengthening the security of those potential targets.
Supply chain attacks are not new or unique to the digital age. Recent history provides many high-profile data breaches that have occurred largely due to supply chain vulnerabilities. In December 2013, the retail store Target suffered a data breach of 40 million customers’ debit and credit card accounts. Upon investigation it was found that the breach originated from a contracted HVAC company for Target. The attackers first stole network credentials from the HVAC company to connect to the Target network and then steal vast amounts of transaction data.
In September 2014, Home Depot announced a data breach that also stemmed from a third-party vendor. This third party had limited access to the Home Depot network that attackers leveraged to further exploit Home Depot and eventually steal data from 56 million credit and debit cards.
For organizations dealing with several supply chain vendors, a robust security program will thoroughly focus and vet all elements in the chain. Since third-party vendors are, for the most part, required for organizations as they grow, steps are needed to focus on risks associated with each vendor.
The SANS Institute released a whitepaper titled “Combating Cyber Risks in the Supply Chain” that lists four major components for a vendor management program:
1) Define your important vendors
By defining important vendors, organizations are able to properly respond to any affected vendors. If an organization relies heavily on a vendor that suffers an outage they will need a robust response plan for this event.
2) Specify the primary contacts for each vendor
Specifying primary contacts with each vendor will allows organizations to immediately respond to threats or other incidents. This will also prove useful if the vendor suffers a data breach and needs to understand the scope of the impact to the organization.
3) Establish guidelines and controls to ensure consistent processes
Establishing guidelines creates a controlled environment for vendors to interface with organizations, and vice versa. This protects both organizations from misuse by employees and hopefully limits the access to important services to reduce attack surface.
4) Integrate with the organization’s assessment and audit practices
Integrating with a vendor’s assessment and audit practices allows organization to cover all necessary internal audits and assessments that rely on third party vendors.
Click here to check out the first part of this series on Domain Generation Algorithms. Up next in the series: Adversarial Machine Learning.
Brady Sullivan is a part of the Intelligence Acquisition team at Anomali where he focuses on the latest vulnerabilities and threat campaigns affecting the industry. He has spent the last 10 years as a security practitioner, researching and defending against cyber threats. Brady is a Portland State University graduate with a BS in Computer Science and is a privacy and security advocate.