Broken Links - Emergence and Future of Software Supply-Chain Compromises

Transcript

1. Broken Links: 
 Emergence and Future of Software Supply Chain

   Compromises Ryan Kazanciyan - Chief Product Officer, Tanium Black Hat Europe 2018
 December 6, 2018

2. Alexandria, VA

3. 2004 - 2009 2009 - 2015 2015 - Present

4. Technical Consultant, S2 & S3

5. Software supply-chain attacks a brief timeline

6. None
7. None
8. None
9. None
10. None

11. MeDoc 2018 2017 2016 2019 HandBrake 2015 2016 2013

12. MeDoc UltraEdit
 “Wily 
 Supply” Ask.com 
 Partner Network Classic

    Shell
 & Audacity Transmission 2018 2017 2016 2019 HandBrake 2015 Mint
 Linux Altair
 EvLog GOM Media
 Player SimDisk 2016 2013

13. Elmedia
 Player 2015 CCleaner MeDoc UltraEdit
 “Wily 
 Supply” Ask.com

    
 Partner Network Classic Shell
 & Audacity Transmission Mint
 Linux Altair
 EvLog GOM Media
 Player SimDisk 2018 2017 2016 2013 2019 Net-
 Sarang Web Developer
 +8 Chrome 
 extensions HandBrake PyPi
 10 pkgs npm 
 38 pkgs

14. Elmedia
 Player 2015 CCleaner MeDoc UltraEdit
 “Wily 
 Supply” Ask.com

    
 Partner Network Classic Shell
 & Audacity Transmission Mint
 Linux Altair
 EvLog GOM Media
 Player SimDisk PDFescape Gentoo
 Linux Vesta-
 PC MEGA
 Chrome
 extension StatCounter phpBB Arch 
 Linux
 AUR ESLint npm 
 event-
 stream npm
 getcookies 2018 2017 2016 2013 2019 MediaGet Net-
 Sarang Docker 
 Hub Docker 
 Hub Web Developer
 +8 Chrome 
 extensions HandBrake PyPi
 10 pkgs PyPi
 12 pkgs npm 
 38 pkgs

15. Timeframe: < 1 day Exposure: (?) 25 companies Objective: Targeted

    compromise

16. Timeframe: < 3 days 
 Exposure: ~4.8 million users Objective:

    Mass adware

17. Timeframe: One month
 Exposure: > 2M downloads Objective: Targeted compromise

    of 18 tech firms

18. …and these are just a subset of supply-chain attacks…

19. End-user Software Development Toolchain Hardware and Firmware Enterprise Software SaaS

    and Service Providers Data 
 Providers

20. End-user Software Development Toolchain Hardware and Firmware Enterprise Software SaaS

    and Service Data 
 Providers

21. What’s driving these attacks? (despite their relative difficulty)

22. None
23. None

24. https://www.w3counter.com/trends

25. None
26. None

27. https://researchcenter.paloaltonetworks.com/2018/02/threat-brief-declining-rig-exploit-kit-hops-coinmining-bandwagon/

28. https://go.recordedfuture.com/hubfs/reports/cta-2018-0327.pdf

29. How have attackers adapted?

30. https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/

31. https://enigma0x3.net/2018/01/29/reviving-dde-using-onenote-and-excel-for-code-execution/

32. None

33. Why we’re vulnerable challenges with prevention & detection

34. Subverting our trust mechanisms

35. Elmedia
 Player* 2015 CCleaner MeDoc UltraEdit
 “Wily 
 Supply” Ask.com

    
 Partner Network Classic Shell
 & Audacity Transmission* Mint
 Linux Altair
 EvLog GOM Media
 Player SimDisk PDFescape Gentoo
 Linux Vesta-
 PC MEGA
 Chrome
 extension StatCounter phpBB Arch 
 Linux
 AUR ESLint npm 
 event-
 stream npm
 getcookies 2018 2017 2016 2013 2019 MediaGet* Net-
 Sarang Docker 
 Hub Docker 
 Hub HandBrake* PyPi
 10 pkgs PyPi
 12 pkgs npm 
 38 pkgs Attacks that delivered signed malware Web Developer
 +8 Chrome 
 extensions * Signed with a different certificate than the original developer
36. None

37. 189 signed malware samples 111 certificates 72 compromised certs 80%

    not revoked http://signedmalware.org/

38. https://arxiv.org/pdf/1803.02931.pdf

39. Software diversity 
 == risk https://twitter.com/halvarflake/status/909864760853884928

40. How many endpoint agents are deployed in a typical enterprise?

41. 32%six to ten endpoint agents Ponemon Institute, “2017 State of

    the Endpoint Report” 27%ten or more endpoint agents

42. What is the ratio of endpoints to unique versions of

    installed user applications?

43. 5-7 x # of endpoints 1-3 x # of endpoints

    Large networks (>100k endpoints) Small networks (<100k endpoints) * Measured by total unique instances of installed application versions

44. 230,000 systems 400,000 unique
 application + version pairs

45. How do security teams cope?

46. None
47. None

48. Trends and patterns
 attacks in the past year

49. Emergence of cryptocurrency payloads

50. Elmedia
 Player 2015 CCleaner MeDoc UltraEdit
 “Wily 
 Supply” Ask.com

    
 Partner Network Classic Shell
 & Audacity Transmission Mint
 Linux Altair
 EvLog GOM Media
 Player SimDisk PDFescape Gentoo
 Linux Vesta-
 PC MEGA
 Chrome
 extension StatCounter phpBB Arch 
 Linux
 AUR ESLint npm 
 event-
 stream npm
 getcookies 2018 2017 2016 2013 2019 MediaGet Net-
 Sarang Docker 
 Hub Docker 
 Hub Web Developer
 +8 Chrome 
 extensions HandBrake PyPi
 10 pkgs PyPi
 12 pkgs npm 
 38 pkgs

51. 5 million downloads of 17 infected images 12,000 users infected

    400,000 users infected event-stream ~8 million downloads 1.2 million extension users exposed 700,000 web sites exposed

52. 5 million downloads of 17 infected images ~$90,000 (545 Monero

    coins) https://techcrunch.com/2018/06/15/tainted-crypto-mining-containers-pulled-from-docker-hub/

53. What about more “targeted”, strategic compromises?

54. Elmedia
 Player 2015 CCleaner MeDoc UltraEdit
 “Wily
 Supply” Classic Shell


    & Audacity Transmission Mint
 Linux Altair
 EvLog GOM Media
 Player SimDisk PDFescape Gentoo
 Linux Vesta-
 PC MEGA
 Chrome
 extension StatCounter PyPi
 (10 pkgs) phpBB Arch 
 Linux
 AUR ESLint npm 
 event-
 stream npm
 getcookies 2018 2017 2016 2013 2019 MediaGet PyPi
 (12 pkgs) Net-
 Sarang Docker 
 Hub Docker 
 Hub npm 
 (38 pkgs) Ask.com 
 Partner Network HandBrake Web Developer
 +8 Chrome 
 extensions

55. Challenges with timely detection and response

56. phpBB (2018) UltraEdit (2017) Mega Extension (2018) ESLint (2018) Gentoo

    Linux (2018) Web Developer Extension (2017) Elmedia Player (2017) Transmission (2016) Arch Linux AUR (2018) StatCounter (2018) Handbrake (2017) npm - 38 pkgs (2017) PyPi 10 pkgs (2017) VestaPC (2018) NetSarang (2017) MediaGet (2018) npm - getcookies (2018) MeDoc (2017) CCleaner (2017) Ask.com Partner Network (2016) PDFEscape (2018) PyPi - 12 pkgs (2018) Docker Hub (2017) 0 100 200 300 Approximate # of days Initial compromise to resolution < 1 day > 1 month
57. None
58. None

59. Dodging Bullets

60. https://github.com/ChALkeR/notes/blob/master/Gathering-weak-npm-credentials.md 15,495 accounts
 (July 2017)

61. https://medium.com/@vesirin/how-i-gained-commit-access-to-homebrew-in-30-minutes-2ae314df03ab

62. https://medium.com/@vesirin/how-i-gained-commit-access-to-homebrew-in-30-minutes-2ae314df03ab

63. How to respond practical mitigations for enterprises

64. End-user Software Development Toolchain Hardware and Firmware Enterprise Software SaaS

    and Service Data 
 Providers

65. Assessing your visibility

66. What • EDR telemetry • On-disk program files & dependencies

    • Normalized application inventory

67. What • EDR telemetry • On-disk program files & dependencies

    • Normalized application inventory Where • Endpoint coverage (device types, operating systems, organizational units) • Which teams have access to which data?

68. What • EDR telemetry • On-disk program files & dependencies

    • Normalized application inventory Where • Endpoint coverage (device types, operating systems, organizational units) • Which teams have access to which data? When • How current is the data? • How far back does the data go? • How quickly can you search it?

69. Managing endpoint software

70. Trending and minimizing application sprawl over time

71. Controlling end-user software distribution

72. https://medium.com/@rootsecdev/controlling-google-chrome-web- extensions-for-the-enterprise-7414bf8cc326 Establishing inventory and control over browser extensions https://specopssoft.com/blog/using-firefox-enterprise-gpos-enable-windows-

    integrated-authentication-specops-websites/

73. Catching post-compromise activity

74. None

75. • Second-stage malware
 • Persistence mechanisms
 • Credential theft
 •

    Lateral movement
 • Data gathering Attackers still need to expand beyond an initial compromise

76. Testing your processes

77. None

78. Future attacks and wild speculation

79. End-user Software Development Toolchain Hardware and Firmware Enterprise Software SaaS

    and Service Providers Data 
 Providers

80. https://news.crunchbase.com/news/venture-funding-ai-machine-learning-levels-off-tech-matures/

81. Where will these startups get their training data or learning

    models? How will they be protected? www.logicalfallacytarot.com

82. https://arxiv.org/pdf/1808.06809.pdf

83. https://arxiv.org/pdf/1808.06809.pdf

84. Closing thoughts putting things in perspective

85. https://www.ncsc.gov.uk/blog-post/managing-supply-chain-risk-cloud-enabled-products --Ian Levy, Technical Director, NCSC

86. • Software supply-chain attacks are just another means of initial

    compromise - the same foundational principles for detection, containment, and response still apply

87. • Software supply-chain attacks are just another means of initial

    compromise - the same foundational principles for detection, containment, and response still apply • Ensure you have a complete, timely, and accurate record of all software on all your computing devices - then drive towards stronger governance over it

88. • Software supply-chain attacks are just another means of initial

    compromise - the same foundational principles for detection, containment, and response still apply • Ensure you have a complete, timely, and accurate record of all software on all your computing devices - then drive towards stronger governance over it • Challenge your enterprise software vendors to attest to their investment and attention to supply-chain risk

89. Thank you! [email protected] 
 @ryankaz42 https://speakerdeck.com/ryankaz