Supply Chain Compromise Part 1

00:00

hello and welcome to another application of the minor attack framework discussion. Today. We're going to be looking at supply chain compromise, so let's go ahead and jump right in.

00:11

So what objectives are we trying to meet through this discussion today? Well, we want you to walk away with an understanding of what a supply chain compromise is and how that looks. And we've got some examples that will go through. So we'll touch on both of those and help you to understand what that looks like.

00:29

We're gonna look, it's a mitigation techniques, and then we're going to look at what are some detection techniques as well within this particular area.

00:37

So let's go ahead and jump right in.

00:40

So supply chain compromise is the manipulation of a product or products delivery mechanism prior to consumer receipt. So something has been tampered with or changed without the knowledge of the vendor, and it is delivered as trusted

00:58

to the consumer. This can include hardware manipulation. So we've heard of chips and things of that nature being manipulated or having malware put on them or having malicious

01:11

preinstalled malware put on things like cameras and smart TVs. We've seen things of that nature where the camera turns on and does things like records, information

01:21

and then sound militias. Haps using the identity of a trusted company, sofa certificate or something of that nature that they used to sign an application is compromised. The Threat actor can make changes and then sign it as that trusted entity. So some examples of this that we had seen in the last few years were

01:41

Sisi Cleaner, which was compromised by hackers for over a month.

01:45

The tool was impacted by my aware that gave the Attackers a backdoor, essentially to use her systems. Over 2.27 million downloads occurred in this period. That's pretty big. And then another example. Mobile games such as infestation and point blank

02:00

were identified by Kaspersky, and he sent as having back doored versions of the games being distributed.

02:07

So any time you're you know, on the android market or the Apple market or the place doors or whatever the case may be, it's important to take the time to, you know, look at the AP, understand whether or not it may be ah candidate for, you know, malicious use.

02:25

And most of the times I don't trust

02:29

anything that comes off the play store's faras free APs and things of that nature I know. There was recently ah, face app that I downloaded toe look at because it was popular and found out the very next day that it was being used

02:44

by a foreign entity to collect personal information and things that nature. So I was very disappointed in myself.

02:50

Now, before we go any further, this particular cc cleaner compromise was from a few years ago, but a vast recently released the following article back in October, which I think is relevant to share. So it looks like there was a breach and hackers

03:08

were targeting cc cleaner again. Now

03:12

there was a lot of transparency on a vast part, in kind of pulling everything together and sharing with us what exactly happened, And so the attack seems to have been sophisticated, which typically would supply chain attacks and things that nature it would be.

03:30

And the attacker was attempting to leave no traces

03:34

of their intrusion, which would be important when trying Teoh compromise the supply chain or something of that nature,

03:40

and so they were alerted

03:43

through an advanced threat analytics platform provided by Microsoft on the 25th of September. And they made some observations and found that there were seven additional attempts that were made starting in May of 2019.

03:58

So this is important because if they didn't have some of these controls in place where they were able to monitor this activity or get these alerts,

04:06

would this attacker have been successful in getting into the system? And it's likely that that would be the case.

04:12

And so they left a temporary VP and profile open so that they could monitor

04:16

the activity. Um,

04:19

and they found that the user of the profile did not have domain admin privilege. However, they were able to go through and do some privilege escalation. So we're seeing several things happening here, right?

04:30

There was a temporary VP, an account that was left open. The attacker was able to get in. They had an account that was not privileged but were able to successfully obtain domain administrative privilege.

04:44

Okay, so they didn't get into further detail there. But we see the initial access happening right through a service that is publicly facing or ah, remote access service that's publicly available

04:57

and then we see lateral movement through that account, so did not note any further implications of the breach other than that it started, Um,

05:08

on the 25th.

05:10

Now,

05:12

the other indicator here that we had or that was discussed was that, um

05:17

they did not have

05:20

do a factor authentication set upon the account, which could have bolstered, you know, the ability of the attacker to maybe not get in or to kind of mitigate their abilities there.

05:30

Um,

05:32

but they ultimately validated that Sisi cleaner didn't have any any compromise or any issues at this point.

05:40

So

05:41

they continue to monitor that threat actors activity, and they're continuing to work through that.

05:46

But this is just one example

05:48

of an attempt to compromise the supply chain, and in this case, it was already previously compromised. And so this is definitely, ah, a target that, you know, the user may want her that they may want there.

06:00

So

06:02

when we think about that, remember, supply chain compromise isn't just about

06:09

compromising the software outright.

06:11

There are factors and things that have to happen in that initial access face. And then we saw privilege escalation. Those are things we'll talk about later as well. But just because supply chain is in the initial access area doesn't mean that that is the end for the threat actor. They still have to move through several areas

06:30

of the attack framework to follow through on that.