BSidesSF 2018 - Supply Chain Attack Through CCleaner (Itai Tevet)

[Music]

hi everybody hi my name is etai and I have the pleasure today to talk about a very very interesting one of the most I think interesting attacks cyber attacks but that were ever conducted and this was the case of ccleaner hack so ccleaner was a like a supply chain attack that we're going to explain exactly what happened there I'm sure that a lot of you already familiar with it but I'm also going to present our own research about this attack and also about the malware that was involved in this threat so just a few words about myself before talking about the interesting stuff my name is etai I'm the CEO and co-founder of a company called integer

which is actually focused on malware analysis and thready detection and before founding this company about two years ago I was leading the incident response team the cert of the Israeli military so really most of my daily job was to deal with nation sponsored threats and actually I'm really glad to speak about this attack the seeking hack because you know I've seen many many many attacks from very sophisticated threat actors but this is hands-down one of the most compelling stories I have seen so this is me and what I'm going to talk about well my talk is going to be divided into three parts today first I'm going to speak about what is a supply chain attack to begin

with just to make sure that we are all on the same page secondly I'm going to dive into the specific case of ccleaner that was back in September last year and lastly I'm going to present our own company's research about very interesting code connections or links between the ccleaner hack and apt 17 so first of all really what is a supply chain attack right so instead of the traditional way of attacking an enterprise which is directly infecting a company through phishing emails open ports you name it in a supply chain attack you use a third party supplier and in fact this supplier like a software vendor or other you know a company that the target company is

working with you infect this supplier so in the end the target company is also infected as well now I'm sure a lot of you know about that but I think there are two interesting points about supply chain attacks in general so one is that they are extremely hard to detect right because you have already this open processes in a trust relationship between the supplier and the target company so that you know most companies and I'm saying it very in the nice way most companies don't really check the stuff that is going through their suppliers right so tearing down even the most sophisticated defenses can be quite easily conducted using utilizing our supply chain attacks and second the

second point that is very interesting about a supply chain attack is that the X the damage the potential damage of a supply chain attack is actually exponential because for one supplier you have many many companies that are working with them right there are suppliers with hundreds thousands or even millions of customers so if you infect the supplier you basically can infect all of its thousands of or millions of customers and I think I personally believe that the combination of these two points that it's very hard to detect and also the potential damage is huge that what makes supply chain attacks are really really big threat to us in the information security community right now I'm sure that everything that

I just said is not news for you but I think that we always should remember this if is a threat that was not um let's say does not have yet a solutions that solve the whole problem and we should work on it right now one thing I want to mention is that you know it's not easy to conduct these sort of attacks but if you have the resources to do it you get much more for your money as an attacker anyway let's dive into our specific case which is the ccleaner hack right so what is ccleaner to begin with CCleaner is a very well-known software a free software that many of us use in our computers to

let's say clean up the junk right like adware unused registry keys and so on and because it's so effective there are millions of users of ccleaner world worldwide and actually this software was developed by a company called piriform that was acquired by the security vendor avast yeah so so they have developed its command this software and back in September last year there was a very exciting news I think that two different companies both Cisco and also Mophie SiC have discovered that the latest update of this legitimate software was actually patched and backdoored with malicious code so just to you know say it again to be clear we're talking about a legitimate software that was published

in legitimate places like well their official website and so on that was patched with malicious code so everyone who installed this completely legit software was infected by this backdoor or by this malicious code so the effect is that indeed everyone who downloaded that download this update was infected but this malicious code that was initially implanted in the legitimate software was actually containing only a small part of logic only like a small a part of a a code in this code what is it what did it do so this code was actually only a reading several pieces of information from the target computer such as the host name the domain name and that's it right just getting the the most clear

indication about where what is the victim that I'm currently installed in and then this malicious code has has basically sent the information this basic information to the command and control server for a further steps and this is where the interesting part comes along and this really one of the reasons that this attack is so interesting the attacker was apparently very very picky he was very picky in his targets so although millions of users because we're talking about a software with millions of users worldwide were infected actually the targets were very very narrow so after receiving the information about who are the victims then the attacker had decided who to deliver the second stage payload right

so not not all the millions of customers have received this very special second stage payload but only just a few so we are talking about 40 about four year organizations commercial companies very big commercial companies who were the actual target of this attack and by the way they include Microsoft VMware Cisco and and some more now the very very gifted and talented the Cisco Talos team have received an image of the CNC server and they have they could actually query the database of that the attacker safe so we actually learned a lot about this threat in the eyes of the attacker by using the image from the CNC server so see how many infected computers there are see how

many government and banks were infected really a very big potential damage but in the right hand side you can see the actual companies who were the real targets of this attack so really only a few right so all of this a description about the attack itself is really a publicly known information right and although I think that is extremely fascinating as I mentioned before I think that even more fascinating is what we discovered when we actually took a look into the malware and the malicious code that was injected into the into ccleaner so just a quick background my company integer is focused on analyzing code and actually understanding code similarities and code reuse connections to other known malware or software and

this research was not different we spent time focusing on researching on this specific aspect of this attack we took the ccleaner and all of its modules all of the you know code that we can put our hands on and we try to figure out with our technology the connections between the ccleaner attack and other well-known software or malware we have seen before and really just a background about how we do this because you know this is besides and I want to share also the technical aspects as well so what we created is a very cool database that contains billions of tiny pieces of binary code right so we took a lot of software and a

lot of malware dissected it into many many small pieces of binary code and then we fed our huge database that we like to call the code genome database so you have for each and every piece of code in that database you can know exactly which software it came from how many times we have seen it before so a very rich information about tiny tiny fragments of code now I'm not talking about like a you know a white lists or black list database that you have you know information about file hashes right I'm sure you you know what's that but I'm talking about a reputation database or an intelligence database about tiny pieces of software tiny pieces of binary code and when we

have an unknown file that is given to us for analysis we are essentially able to you know dissect it also to these pieces of code and comparing them in to our big database of code so in the end what we can do and this is what we've done also with ccleaner we can understand we can identify the origins of every piece of code in that file for in any given file now a lot of people ask me in many cases ok code reuse is you know a very big phenomenon it's obvious that people do not love to rewrite their whole code from scratch right I I'm sure you know what I'm talking about but code reuse in a lot of cases is

consisting of you know using libraries stuff that that compiler adds and a lot of stuff that are you know mostly common so if we find code reuse between a certain you know malware to another thread actor doesn't it mean that maybe they just used the same library so this is where the method of how how you should you know detect code similarities comes in place because think about it if you have a database and you have this piece of code that was that you know you've seen in many other places such as many applications or even both malware and also legitimate software you are able to distinguish between what is a common code that was seen everywhere

such as libraries or you know and code that is specifically unique to that certain connection you have found so everything that I'm going to present you about our research is based on this point right code connections that we find are actually completely unique to a certain you know that's a family so as soon as we received the payload from the ccleaner attack really let's go back to our case then we immediately use it to just throw it to our code reason similarity systems system and then we saw something really special Natalie let me explain what you're seeing in front of you so you have the let's say the code similarity result of the stage one

payload which was actually injected in memory so they had like a DLL that was injected in memory and we just used it to throw it to our system and immediately we saw something very interesting fifteen percent of the code of that threat was already seen in apt 17 now immediately when we took a look on that picture we try to remember what we know already about apt 17 so they they are a very well-known thread actor group with links to the Chinese government or specifically the Chinese Liberation Army and these are very very sophisticated Google Adobe and juniper back in 2009 and they are specializing in conducting supply chain attacks so many years before our community has

discussed openly about supply chain attacks they have actually penetrated code inside the gates the SV ends the TF SS of huge companies really - in the goal to backdoor legitimate applications that so many of us are using every day so really like you know we are all from the defense side probably but I know how to appreciate a good work the these guys are doing a very very sophisticated attacks that are very hard to both analyze and also to detect anyway so after you know seeing just the initial picture of you know the connection to a PC 17 we dived in even further and we saw that actually there are four different variants you can see

I mean I don't know if you can see but there are like four rows of file hashes which are each and every file hash is actually a different variant of apt 17 that shares the same amount of code with the ccleaner hack so yet again four different variants of apt 17 share more than 15% of the code and then we even dived in even further and we wanted to see the exact code segments that were that were similar but you know what I just forgot to mention just as I said before these pieces of code the 15% of the code that was similar is completely unique and was seen only in ccleaner and in apt 17 and not in any other software

or malware in the world and we know that because of that huge database I mentioned before so this is a very significant connection but let's see exactly what is the similar code here so for those of you who don't know a assembly or don't want to know assembly or can't see then this is a very interesting implementation a very unique implementation of base64 so basics t4 is like an encoding algorithm right that is used many times in malware and also in the jet applications and here we see that the whole implementation of basics t4 is completely unique and was seen only in these two threats see cleaner and different variants of apt 17 so this

might be a very weird and unlikely coincidence right it can be but then although although you know as I mentioned before very very unlikely since it was seen only twice but then we had a look also on the second stage payload so here we see that the same coincidence comes again and we see another code connection that was seen only in ccleaner an apt 17 in the stage 2 of the attack so just to remind we're talking about the stage 2 where only specific organizations have received only the target companies have received and this similar code what does it do it's basically in resolving an API function a Windows API function to you know to to continue its operation of

that threat so for example you can take a look on the first piece of code this is how normally you know programmers will be resolving an API function they would call low library and then get proc address to resolve the AP the the address of this API function what we have seen that was unique in these two cases is that they actually splitted the string the strings of kernel32 and the actual API windows api function to different characters now why did the attacker do that probably because they just wanted to obfuscate the string you know to avoid a VD tection signature action I'm sure that you've seen many cases like it's similar to these before

but yet again this is the only you know here it's like fee plus plus code right but in the end this is just to to explain a bit more easily what the attacker wanted to do and why is it so unique but almost bite by bite this is the same implementation and the same code so the combination of these two evidences makes it not so much of a coincidence after all and if we also add added up to the fact that this is a supply chain attack this is exactly what a pt-17 is specializing in we have a more clear view of an attribution or a classification of that malicious code and malware now nothing is sure with

attribution and you know classifying to thread actors really unfortunately I was needing to do this on a daily job to make attribution to other threats and it's very very hard but the you know when you take a look on the Achilles heel of the attack of attackers which is they have to reuse code right to not waste a lot of resources you get a very clear understanding about you know who is behind the threat so just to mention this although nothing nothing is sure we have as an info set community a better understanding about who we were dealing with in this attack specifically and I think it's very important for us to know to better understand you know the thread

and landscape and also respond better to future incidents because we know you know what we are actually dealing with so just to just more like I sum up what we learned what I wanted to to share so first of all and this is a very important point for me to mention you know today we see supply chain attacks that are sophisticated such as this one being conducted only by nation sponsored attackers or you know if you have nations nation resources but what if tomorrow this would be supply to conducting supply and chain attacks would be a commodity such as many other stuff we've seen in the past like you know all the case of the shadow brokers

and so on that very sophisticated abilities were just now a commodity for any kind of script kiddie so we need to prepare as an community to deal with these types of threats because I'm sure I'm sure that two years from now maybe even less or a bit more somebody else will be talking about how much a supply chain attacks have became a commodity now we don't have a clear solution for that to be honest but this is something that we should know and we should be aware of we have our own solution of our company not specifically focused on supply chains but you know there are many great ideas in the community that we should you know share and make happen

secondly I wanted to show you that thread actors are actually prong to every to the problem or let's say to the phenomenon that any kind of developer is is facing which is doing code reuse because you know and and I really have the experience I have the pleasure to have the experience of dealing with very sophisticated threats and there you see that Nations and and just sophisticated attackers cannot really afford to rewrite their whole code from scratch the the they just can't it's it's extremely not cost-effective maybe a scripted kiddie can but if you are developing a serious malware you probably wasted or spent a lot of years to develop and you just can't write it

from scratch so here we see a case where several years later the same attacker still used their same codebase right so software is evolutionary and also malware is and we see it all the time and lastly I wanted to show you how detecting code reuse can not only you know help us understand whether a file is good or bad right because seeing code reuse but also it can help us better understand what we're dealing with and how we can respond to to future incidents and another thing I want to mention is that everything that I'm I showed you regarding like the code similarities technology and so on so it's actually completely free to the community so you can just try it out and

and we would be happy to see more people more faces in our community that we worked very hard to to create and last thing well and I I really hope that the information that I share today was was a helpful for you because for us as a company to see this attack conducted in let's say in real life it was really an eye-opener to think about how to respond to future incidents thank you so much you