SOFTWARE SUPPLY CHAIN UNDER CYBER ATTACK - Negar Shahab

hello everyone thanks for coming for my session today the title for my talk is software supply chain on under cyberattacks I'm Megan I'm a security consultant with PS and since acuity and Imagi researcher in my three-times I'm presenting this research on behalf of my sister as well nooshin she's a security researcher from Kaspersky great team so this presentation is about the attacks that target software developer systems compilers linkers and ideas in design house the attackers use compromised development systems and development tools to inject malicious code into the application programs the end victims are of course the program users from an anti-phase perspective it can be much more effective and it often helps to remain undetected longer if they plant a

poisonous seed in a safe place and then watch it grow into a big tree rather than poisoning victims one has time so in this talk you will see how the attackers take advantage of all trust in what looks familiar to us to a stay below the radar this is my agenda for today we're gonna first understand how does one trust a piece of software and then looking at some so-called concerns and then some actual examples of this kind of infected software development tools trusting a piece of software do you trust every application to be safe from malicious behavior of course not but what is the approach towards trusting an application you use you might say by Ordonez from trusted

sources but what if the trusted sources are not offering everything everything everything they're offering is trusted should we blindly trust the trusted sources you might say we can examine the source code of the application but what if this source code is not what it's compiled so it's easy you can compile the application from the source code that we obtained but what about the compiler itself what if you compiler add some code into your application so you might think that we can compile the compiler as well from a source code but what about the compiler we used to compile our compiler so let's stop here this is not a new content let's go back in time let's look at some history ACM

Turing Award 1983 for those of you who might not be familiar with ruling award it's recognized as the Nobel Prize of confusing it's an annual prize given to an individual or individuals for their contribution in for the complete and contribution of for the complete contribution to the computing to the computing industry of Lessing and major technical importance of the computer field and it's given by the Association of Computing Machinery in 1983 these two guys that we all know dentistry champion Thompson received the ACM Turing Award for the development of January cooperating systems theory and specifically for the implementation of the UNIX operating system but what is in our particular interest here is in Ken Thompson Award lecture titled

reflections on trusting trust to what extent should won't trust a piece of software and that is free of Trojan horses perhaps is most it's more important to trust who writes the application ken thompson noted that trust is relative and one should only trust the piece of software when they inspect the whole process of developing the software from the beginning to the end and the problem is that the people only only inspect the source code and not the compiled machine code after after the source code went through the compiling he describes how he ingested a malware into a compiler not only this is compiler know when is compiling a specific program to inject a piece of

malware to it will also new when it's compiling itself to inject the backdoor generator into the compiler so this way the malware the malicious behavior of the compiler would be persistent even after recompiling the compiler let's go even further badge the US Air Force 1974 back then they were using the multics operating system inside the US Air Force and to ensure that things are really safe they will bring in the source code of the most accelerating system and they compile it themselves in June 1974 US Air Force conducted comprehensive security evaluation on motifs most of the Rings new modules of more things were written in PL one programming language the analysis report indicates an attack using a pa1 compiler and

called the compiler trapdoor the content was the malicious compiler can insert an object code trapdoor in being zero modules enough for the security concerns from the past let's look at some actual infected compilers as we had some examples of this kind of attacks image in Detroiters which was discovered by Alex ponder Alexeev in 2009 is believed to be the first of its kind despite other foiling factors the first the first version of English virus was not interested in infecting executable files on the victims machine rather it put in into target the Delphi IDE on the victims machine and and if it could find any Delphi from IDE it would insert its own code into the ID modules which would

eventually infect all of the programs compiled using this environment however the latest version of this malware found in 2011 was also interested in infecting executable files on the victims machine let's look at the differences between the different variants of this virus English version a and version B they don't have any malicious payload version a was looking after a and Delphi ID and version B was looking after Borland developer studio and code year devious and and worse - there were some mosz a bit more advanced there were some auntie debugging techniques and some eggs or encryptions just to make a bit of obligation and they were targeting the FISC on that path file which in the

Regency and they change the target they and they would look for the cyst in a passport and it was also the last version was also malicious it was downloading another member and it was also infecting the executable files to twist rate despite its harmless payload for version a and B in which infected version different versions of some common software's such as a media player and keep instant messaging clients the problem with these kind of programs was some of them or checking in or doing integrity change on a sort of and after getting disinfected from ended the program couldn't perform properly because the because the integrity Church would fail and the the last version was even malicious it could download some

other some other modules of some other modules of the attack like like a path for distiller module but what happened on the developers system once it's on the victims machine it checks to see if Delphi is installed and then it copies the dot has boil in in this case which is this constant path if make a copy of it a storage as as a siscon start back and then it would infect the actual Dave and legitimacy concert pass file and compile it and make a siscon that DCU and then delete the malicious file and then it would force the name here to link this malicious file to any programs compiled with this compiler next example is Xcode

cause extra code is the oily for Mac OS released by Apple it's it's the most mainstream development tool for developing OS leaks and all these applications in September 2015 a malicious version of this compiler called a lot of attention and became very hot hot news attackers had tampered with Xcode and added malicious modules to it they also used various propagation techniques to eventually make it super wireless freed Palo Alto Networks published a comprehensive report on Xcode cause they believed it because network is bigger slower in China developers in the country Lutz for the local copy of this hadith and Apple Xcode and they encountered the malicious version of it which which this opened the door for the malware to be inserted

into high profile as used on iOS device as you see in this slide there are many many tools developed by Xcode cost and you can see there are different versions of Xcode costs available on body at that time according to the Xcode code source code different system informations was a stolen bicycle goes from victims but I didn't have diminishes compiler wards if Lucas added some extra code in one of the modules off of the link here it also as malicious core services objects to the default classes of Xcode directory malicious core services is this malicious core services and match objects which compromises the UI window and you I divorce class in the compiled iOS applications and through the extra

code in that module names you're just forced to load the malicious core services and adds it to every company lawyers application next one shadow pad shadow by to the supply chain attached which was first discovered by Kaspersky in 2017 the active behind shadow cuts the still very active is identified by mantra soft as podium the operation shadow hammer and the other attacks which has frisky announced earlier this year are also related to the sector in July 2017 suspicious TNS were found in one of the cash versus partner networks the partner with financial institution and the suspicious request forage originating from systems involved in the process of financial transactions further investigations showed that the source of the suspicious DNS queries was

a software package produced by net Saran Computer Inc nestled on computer named developed secure connectivity solutions and several management tools for large corporate networks further analysis showed that recent versions of software produce and intrusion and distributed by NASA rank had been modified to include an encrypted payload that could be remotely activated by attackers the backdoor was embedded into an aside to that DLL which Anette forum software library used in their various software packages but what's happened on the developers system the attackers use a malicious program which resembles a masquerade a dll the onin this malicious file is only masquerade the filename and export function names although the court had nothing to do with the legitimate

library a mask or e dot DL is a legitimate library from Microsoft and the part of dotnet framework it helps with hosting the common language runtime the functions you see in in the slide or these are the functions they actually use in in their assets and they're mostly from deprecated functions possibly to avoid interfering with the normal use of the mouskouri dot the le roi system application but the more interesting part is the use of a Trojan name directly to manipulate the linking process of the compiled applications on the victims machine lingotek c is the ninja module of montrose for visual studio and in in this particular attack and the actor had has replaced with

legitimate links or XE with their own Trojan is one the throat I'm in the protons linked alexei d creeps and loads a malicious payload at runtime and then this module and then this module eventually injects the main payload into the applications being employed on the victims machine the main payload is implanted on the developer system in the form of a separate suit was filed with the help of the trojans linker this malicious module gets linked to the my source code and results in a Trojan horse program that proton I've destroyed to that DLL that we saw earlier next one CCleaner incident later in 2017 I was disclosed Dead Sea cleaner which was developed by preform a company acquired

by others in 2017 was being attacked by cyber criminals stiffeners the computer utility used to clean potentially unwanted files and invalid Windows registry entries for computer the attackers had injected malicious code into the ccleaner installer program and it was distributed to many customers follow of announcement by august researchers and noted that shadow had plug-ins were found on some of the systems of ccleaner developers as shown in the screenshot from a verse blog the tread actor had again used a mask or II got the other so let's look at some fresh shadow cat attacks earlier this year Tesla announced a number of storage software and software china types and they named it operation shadow hammer Kaspersky

believes that the shadow had actually is also behind the shadow hammer are Asian the attackers inject a bacteria into office live objects utility office was also one of the primary targets of the ccleaner attacks according to the target list published by others it's possible that the attackers initially got foothold into the also Network truly ccleaner attack kevrah see also recently discovered a number of supply chain types mostly on gaming industry all pointing to the same answer let's see what was the approach that this trajectory took this time for one of this mansion attacks a compromised linker HC was used on developers machine this time the link directly was very similar to the legitimate one the two

coils very even find the digital signature with the same timestamp as you can see in this slide the only difference is that the compromise file has has an embedded and digital signature the two point the to link directly files were almost identical the same version info on the same size the P stations almost matched point for byte and nothing was touched except for a few bytes which existed in in this section responsible for import address table the compromise name correct we had one extremely important API from an online and from an unknown dll and this API was even used in the was not even used in the code the malicious DLL had only one export function the one that was added

to the import function of the link that if seen as you can see in this screenshot here there is poor function was empty and had no functionality no wonder there was no reference in the link to accede to call this function however the main Manisha's logic was inside the DLL main you can see it's inside the element the other main routine in the DLN but how is this malicious code inside the element named yet executed this is how the Windows loader was open loading the link directly file the loader goes through the import tables import address table and lose all the required DLL one by one to eventually resolve the addresses of the corresponding API so

the program can use them later so and this is where the DLL main function of this malicious library gets executed the malicious DLL is only interested in one particular application on the developers machine the DLL looks at for the time when the target application is being compiled as the target application goes through the linker and is being linked with ms b c or c don't leave i'm not sure if it's big enough to seen in the screen shot or not legitimate and this library is a legitimate library the malicious DLL then changes the path to this legitimate library and makes the linker link to target program so Manisha's library instead of linking to the MSV c or c do sleep which is called

the malicious one is called ms VCR MCD this diagram shows how this malicious modules work altogether and Trojan is the target application the clean source code of the application is linked with a malicious library instead of a legitimate library with the help of the malicious DLL which gets loaded by Windows loader inside the memory space of the compromised named Alexi process I think I'm ahead of my time so in conclusion supply chains has been in particular interests of sophisticated protectors in recent years and it's it's possible to to see more and more of these kind of attacks in the future majority of the security solutions can easily be full when the malicious code is in it looks like a legitimate code

especially if it's signed with with a digital signature with a little bit of valid digital signature so it's really important as a software developer to make sure that your environment is safe and clean and you need to inspect every every single school and every single platform you use thanks for your time any questions

are you thank you for the presentation and for giving the historical background this one final are you going to be looking at some some more other compilers in the future we're currently looking at some other possible kind of this I thanks what are the moment there's nothing more to add to this research but it's an ongoing research