BSMaaS 2020 - Supply chain Attacks: The rise of the Third Party Poopers

My name is Alachia Pira and welcome to my talk, Supply Chain Attacks, The Rise of the Third-Party Poopers. I would like to thank everyone who joined today. It's really a great pleasure for me and I hope you all will benefit from this one. I would like also to thank the organizers that invited me, Maximilian and the average members of B-Side CMUNIC. Whatever you do or whatever organization you're part of, you can't really defend your company or your customers as well, if you're not thinking holistically about supply chain attacks. So that's Panerai's. We grew a little bit since that picture was taken. You can spot me holding the Panerai's logo at the back. I am head of research and also the first employee of the

company and involved with the platform since its initial steps. And that means that I saw a lot of suppliers for the years and of course I still do. In parallel, I'll teach a few academic related security related courses. For example, ethical hacking, mobile security and the web technologies at the FECA Academic College of Engineering. And before joining Panerais, I led the mobile security research at AVG Technologies. I also participate on a Capture the Flags competitions on a regular basis and also have to organize the hacking competitions such as the COWS, the AT86, a competition where digital assembly programs fight each other on a digital arena. And on a general note, I love reverse engineering, a low level and hardware hacking.

So supply chain attacks are becoming increasingly widespread. As a cyber criminals seek to access sensitive data and systems, So it's important to note here that in such attacks, the victim is not the ultimate target of the attack, but a stepping stone to have a larger network or corporations. And in this talk, I will present an overview and also dive into various attacks, patterns, specific cases, less alert, challenges, and of course, mitigations. So, This is what usually comes to our mind when talking about a traditional supply chain. Nowadays, organizations circled by multiple third parties, VANT include broad range of companies we directly work with, such as data management companies, low firms, email providers, web hosting companies, and others. However, third party cyber risk is not limited to these companies.

Any external software or hardware that you use for a business also possesses severisks. For example, even the JavaScript that you add to a website for analytics may cause a breach or exposing information about your visitors. And also you need to keep in mind for privacy concerns that may be raised. The important thing to note here, that all of these are part of the parameters of the company. So if something bad happens to one of his vendors,

a it may affect and they cause problems to your organizations, your organization because it's a part of the perimeter. But few states what a organization can be you once a supplier, once an evaluator organization that work with suppliers, or usually both. So if we take panel as an example, we are cast with customers. So panel is access will fill party supplier. of third party vendors, but at the same time, we also have our vendors that we manage. So we are also on both sides. The best way to emphasize this concept is to show this group of sky dialers. You can watch them here connected to each other and then they switch places. So it's like interaction between companies existing in real life.

With suppliers, everyone is connected to everyone. This is how the ecosystem work. And it's like the butterfly effect Well, if something bad happens on one side, what will affect others on the other side? So no conference for us at the Vegas this year, Defcon, Black Hat and B side, some of the respondents, some went virtual. So this slide is probably the nearest you can get to Vegas now. And let's brainstorm. Take a moment to yourself and try to think. What are the critical supplies of a casino hotel at Vegas? So if we take a hotel casino, let's take a second. What are its critical supply going to be? So one can mention a slot machine manufacturer or company would give security services to the hotel. The

other can highlight clean services or agent agencies. So hope you recognize the person on the right. And also you can recall them which movie the picture was taken. So correct. That's Ocean 11 and this is Mr. Zerga. Who is Mr. Zerga trying to pretend to be? He is pretending to be a high profile gambler. So do Vegas casinos care about high profile gamblers? Yeah, I guess they are. Why? Because they spend a lot of money on gambling and you know how it works. They are so-called reasons. So the hotels at Vegas really want very high profile gamblers to be happy. So we send them wines and chocolates and other goodies such as taking them in limousines while we're in town. And

so we talked with such organization few years ago and we asked the security team a question that we ask every company we have interaction with. Tell us who are your most critical suppliers? And the answer was quite surprising.

try to guess what were the response was. So the most critical suppliers of our organization was the local flower shop. Well, there is Excel file floating around and kept and secured, holding all the possible details of the high profile gamblers. So this is Excel that worth probably millions or lots of money. So this local flower shop sent for the EU's presents to for birthday and to make them happy. And the responsible for the security team, Littor tells us, told us that he cannot sleep at night worrying about what's going to happen to this file. You probably understood that I'm a big fan of movies, so I can share that a few of my favorite movies are Princess Bride and the Blue Brothers.

So try to identify from which movie the image was taken. So it's a fish named Wanda. And there's a hidden critical surprise on the image. and you can now try and spot it. Well, I would like you to spot is a fish tank thermometer. If we're still in the context of a Vegas hotel casino, why do Vegas casinos need to worry or care about a fish tank thermometer? Any ideas? So sometime ago, a casino database was hacked for a smart fish tank thermometer. So do we need to have a risk management plan that will take into account all aquariums funding organization facilities? Well, that is indeed an interesting question. Moving to a different one, take a moment to think

why the following building is interesting. Try to figure out what is useful or which companies belongs to. I can give you a hint that it's not an American embassy somewhere around the world and you might notice the sign on the wall named Fazio. So this building belongs to company Emphasio Mechanical. Rings any bell to someone? Correct. This company is related to the famous Target Bridge. So Target was targeted by refrigeration, heating and air conditioning subcontractor. The initial info, the initial intrusion into Target systems was tracked back to a network condition that was stolen from a third party vendor Emphasio. And there could be two main vectors or genders for both bad guys. The ones are taking all the third password

to your surrounded. One is to get from the supplier to all of its customers. What's the number one is seen on the left. I call it spam prey and the other is a more dedicated and targeted attack is a sometimes maybe the target is too hard to attack and its supply chain is weaker. So that's a jack on the right, the sniper best attack. So this case is associated with the spills by scenario. PNMedia is a Vancouver based car firm that manages and hosts all our photo services for numerous big names to tell us such as a including CVS and a Walmart. So the case of PNA media, but as you can see affected multiple of its customers or partners. This one is more targeted

one where the Chinese were able to steal the F 35 plans from Lockheed Martin using a breach in one of the RSA company products. On the left, you can see the J 31, what reminds a lot of the F 35 on the right. On this timeline, we can see highlights of notable supply chain attacks. Of course, We're not going to cover all of them and then deep dive into each one of them cases, but we're going to mention few. The attacks mentioned in the timeline can be sorted and associated with a few specific categories. Here we can see name dropping of these categories. From the previous list, most of these attacks are associated with publishing infrastructure such as peer breach operation, where they see clean

and Linux mint and others. Other common are related to source code repositories and SDKs over there involves a code. The separation between these categories is important, but it's not the right view or the right take. My personal opinion it, but it does not matter if a specific attack is implemented with type of spot or if it's part of what I got a cool a, a, you target a website, but a for visitors and want to thank them. The relationship matters in this case. I'm referring here to the relationship between the companies and the suppliers, all those that are part of their supply chain. So let's try to be more specific when we're talking about relationships. So few questions. Do

these suppliers have web access to organization or Do you visit or have access to their website? For example, an HR related portal where you check the status of your candidates. Do you transfer files between the companies? Is it one way or both ways? Is it an interface that persists or continual? Is it for only short period of time? What data do they hold or access to? For example, do they hold credentials? Do you give them an email account with your domain name? Although they're not officially part of your organization. Is it the class service provider, a subspace, a AWS back into I can be exposed to the wide, is it on-prem? Do we give you a mobile application to use of both? For example, I'm recording via Zoom,

but also everything's stored on a computer also use the mobile app. So I can be targeted for multiple directions of vectors or places. What kind of supplies it is the managed service, a partner, integrator, a coding services or an API company? Is this company that already acquired or you want to acquire and then there's a doing M&A process? Where do the digital assets of a supply is located? Does it matter? For example, is it based in Europe or in countries that US government do not want you to do business with or do not allow you to do business with? Can you tell the suppliers you shouldn't use a specific piece of software or vendors? What is the power to have on your suppliers?

What are going to be your reaction on actions when something bad happens? For example, if a vendor's breach, do you disconnect and never do business with him or let him recover and continue the relationship?

Do the suppliers need to notify you about the breach and a lot of other questions. Size also is a parameter here. For example, let's say you're five people are counting film. I'm sure that if you ask Amazon, for example, for the security related materials, I mean, besides those are published on the public, a way for example, the SOC2, if you request, I'm not sure they'll be able to get much cooperation, but if Amazon participate in a tender of a US government for supplying infrastructure for 10 billion contract, whatever feeling that will be more cooperative than more willing to share info, for example, over recent penetration tests and the detailed information. Also another question that jumps into mind, do you need to care about huge companies

such as Microsoft or Google or Amazon or Oracle or Salesforce? So if a huge company such as Microsoft's group bridge, then it's probably not just your problem, but it's a problem to the whole world because everyone is using them. The small vendors are the ones that you should worry about. So what do you see is not a map with the infection of the spread of a COVID-19 virus. I would like to highlight here the rise of regulations. It is taking effect and we can see more and more regulations, but you're related to data privacy, many in Europe. And what do we see is this website in this case, a daily paper gives an overview on the status of relevant regulations on

the world. So there are two, but most well known such as the GDPR and the CCPA and regarding the file for you can see on the side, it's all constantly increasing and the defense are getting much higher. I mentioned that the relationship matters and I want to do how to do examples what are related to MNA that can share a light day on these regulations. So what is the relationship between MAD and Starwood? So as you can see, Marriott acquired Starred few years ago. Starred was breached and Marriott got a fine for being responsible as in JDPR, you're responsible if and others did not protected well the data. In the different case now, what is the relationship between Verizon and Yahoo? Well, Yahoo, Verizon Media

acquired Yahoo few years ago and Yahoo involved with a security incident. But in this case, You who had to take the costs of the breach after the MNA deal. So maybe they got a better laws, I don't know. So that's the take home message here. Always get better lawyers. We're now to deep dive into first categories, but I mentioned a bit earlier. First one is type of squat. First, what is an NPM? NPM is the world's largest software registry. It's a campus source developers use NPM to share both packages. So the attack was executed by the NPM user Hextack who authored the 40 packages with names similar to common packages. Here you can see the initial thread reporting into Twitter.

And there are a few examples of the initial info, like the similar package names or the ones that tried to imitate in the attack. So the attacker tried to use human error and common NPM naming conventions to trick users into storing the malicious packages. So it's like social engineering, technical social engineering. So that's a great example of the power of the code. People in the same phrase started to suggest mitigation to this kind of manipulation. So later the NPM team, others, we stop of attack. But we'll know and remember that this is like a never ending carton mass game between the attackers and the defenders all day. people are trying to defend. Moving into publish infrastructure, one case that is associated with

this category is a peer bridge. So what is peer? Peer is a PHP extension and application repository. So what do we see on the slide? You can see that a post from the peer on the Twitter account regarding the bridge. So the server distribution system for the PHP libraries was hacked and the original PHP package manager was replaced with a modified version. So users who have installed the pre-installation files from that server within a window of six months could have been infected. So since many web hosting services allow their users to install Runpeer, this attack also have impacted the larger number of websites and their visitors.

So first of all, what is so interesting here is this is a snippet of the banks of code. So it remains a mystery why the attacker use the back door with a bell to affect a piece of software within PHP. So what back door opens the shell and connect to that IP address. So the chances are high, but the server and this IP a might be another compromise host. Big doing SDK. Moving to next one, what happened in a expensive, expensive case. So in this case, malware injected in a free Android app for a wallpaper in this case, but would they secretly register victims for paid services? So the malicious code in the app came from compromise of the development kit, the SDK, but

under developers used. Notably expensive or use the obfuscation methods to hide the malicious code activity that could bypass antivirus protection. So at least between the 6 million devices was affected up to the maximum number of 21 million. So we're talking about to compromise the tool chain of a developer machines and introduce the back door in the resulting gaps. As such a developer keys can be assumed to be compromised. API security. I really liked the tweet that you can notice on the screen. I've seen it a lot. Companies do not pay attention to API that we're offering or to others or API use to win their permitter. So it's both cases. So it's like a hidden vector that goes unnoticed. There are many

cases published on the wild that involve APIs in security and miscognition and we have few. So what happened in the Facebook case, attackers pointed to vulnerability in the Facebook code that impacted us. So what is the viewers feature? This is a feature that lets people see their, what's your own profile looks like to another Facebook user. So unfortunately the vulnerability resulted in a generation of a access token, but had the permission of a Facebook mobile app. So not for the viewer, but for the other Facebook user. So that allowed the attacker to steal the other user, user Facebook access token and which could even abuse to take the over the accounts. And as you can see, it becomes a major

issue as all says started to publish a dedicated top 10 list that focus only on API security. So Eric cannot is, but there's a trend because somebody,

and did an action and published a relevant info for people how to get a better security. So there are plenty of websites that help you to also as a developer or engineer to map various APIs on the web, companies that offer APIs. Code called the source code compromise. So what happened here is that it's alarming that people are using a code without not knowing any clue about what is a code do. So a developer identified as a rat for a to write a control. If volunteer to go a requested from the original developer to do control and a maintained the code repository. So what the developer gave it to him. So why not as a

new maintainer that maintains the package and later the malicious user updated this model with a new dependencies. and the malicious activity. So here are people trying to figure out what's going on. Why the package, the model started to became malicious. So it's very interesting to see this discussion between the people. So what the original developer said that a is not a willing, was not willing to continue to support it. So you have no interest. So just gave it to someone to ask it to him and people sent him to answer publishing rights to Anon Dude, but keeps the repo under your username, well done mate. So he gave him to maintain and still kept it at his name. So it

was seemed like legit one. And here's another case, this is what I call Chaos. There was a developer that developed more than 250 models on NPM. And some of them were very popular and used by multiple other projects. A company reached out to him to the developer and demanded him to rename one of his models because it was similar to the instant messaging gap. So the lawyer was convinced and claimed that there was a brand issues with that model and NPM took it away from him. So he was furious and decided to unpublish all of his NPM managed models. So one of them was left bad but talk with left. I was like at $2.5 million a month

and you can notice some of the reactions of the people. So another issue of what a pot of thing that we need to notice here and highlight that someone malicious is able now to take the names of the visible models and publish new malicious one. So it's not just a denial service issue of that thing say book. do a developer and also another security issue different one. So we mentioned that the problem and show a few cases. So who's the owner of the process? Who's the owner of the security of his vendors? Right now there's no standard and we can see few various examples. We saw that for example, the CISO is responsible and other companies use the legal team for it.

I've used procurement sometimes to handle it. And now we started to see more and more cases where there's a dedicated security teams that are responsible for the security of the third parties. So we need to build a process. We need to define all the stakeholders and later we need to begin somewhere. So first you need to have an updated mapping of your supply chains and the vendors. It's not an easy task. I've seen organizations that wanted to initiate the program, but they have no clue. What is the updated mapping of vendors? Sometimes they find out that they have supply breached just because the developer that uses it got an email with a notification from the bridge company. So where do we start?

So you can take the data from your pure similar system and there's something that I found is useful. So you can go to the finance related teams and check which supplies vendors are getting paid and follow the money. And this is how you can like a move the tree and see what is funny and then follow the tracks. Out of these vendors, you need to find which are the most critical ones. So some vendors will bring papers to the office and some if you got be hit by a ransomware or on these days COVID-19 virus, they will affect you if they're out of business. So you rely heavily on the services and products. So can you tell what are your critical suppliers and know how

many critics surpassed you have and why you consider them suppliers criticals. Another question can tell the impact if some of these suppliers are a breach or security issues. And you need to also do important to remember that keep in mind what no vendors can be critical. You cannot decide that everyone is critical.

a sense in making that decision. And supply chain is not a one time or snapshot. We need to constantly monitor our suppliers because suppliers and companies change over time. They're implementing adopt new technologies and the size of organizations being changed. For example, recruit more people or maybe in this time, it's very sore, but they let people go off. Maybe one of the security teams, people, They have less manpower dedicated to security. And also I've seen a few ideas about companies or customers that have like four or five CISOs replaced in three years. So is it healthy status for organization? I don't know because the CISO come to the organization, it knows how it works and then leave and there's no continual process. So

maybe they want to, a runaway before the company was reached. So let's say there was, if only for one year they blame, okay, we're only in the job. And if we're quickly running after one year, they cannot be hacked and blamed if something bad happened. And they also need to have automation based because of this content gap. So also we need to mind about the people, people's like also digital assets of a company So if there's a company that give you a external HR services and bigger consultant to work with you, maybe there's a better chance for these people to have a security issues with, for example, inside the threat. So everybody knows about Snowden, that leaked the information about the sensitive projects

from the NSA, but maybe you can recall who that woman is. So the FBI arrested in 2019, Paige Thompson in suspension downloading nearly 30 gigabytes of the capital credit card application data form. So that woman is accused for the capital A1 breach. So employees and human

our key part of the company. And we also need to something to help us to understand what are the risks and what is the security awareness level of the people that working with the vendors, what we have some sort of relationship with. And another point to raise, what if it's a backdoor in the firmware? Do we as a small company of control able to have a say? And do we have a way to mitigate? So if for example, for small or lower fees, I don't know if we're able to decide that we are now going to replace every CPU for the laptops of organization. So we need to choose the battles. Some battles are lost. Let's say what is the fact we need to iterate. So

it's all boils down to Fred modeling. We need to a software, a more polymore is it targeted to the attackers. compared to hardware hacking. And I mentioned that I love hardware hacking, but it's not related now. So here are a few resources, I will not mention them just to show because of time limitation, but you can go and check out this website and resources, including our website and the free tools that you can use. And also a cool companies that can help you to mitigate API security or a source code related in the dependencies. Another, before the end, the important point to note that we're all trying to do the right thing, but it's not a

solo effort. It's a supply chain is a team sport and not an individual sport. We can get a much more successful outcomes if an Insta-stee will look at all in that way. So we need to share info and cooperate and talk to each other and respect each other. And we need to move like a true partnership between us and the other companies because as I can say, we are usually both the vendors and also the evaluators that have vendors. So bad things can happen to every company no matter what is a company that spends a lot of money and efforts on security or if it's a small company that do its best. So because each other, that is also generally a

thing, not just because of security. And here's a recap of what I mentioned during the talk. So for party supplies are part of the parameters. You can be on a few positions, a volatile supply of both. Whereas the rise of regulation and you need to do here. You need to worry about the small vendors, relationship matters, and I tried to elaborate a lot of it regarding the event point. SASO also plays a part in it, but at the same time, battles are lost. You need to pay attention to the human factor, and it's ongoing effort. It's you need to some scalable solution that will help you to monitor because some companies have hundreds of

a tens of thousands of suppliers and the companies have sometimes a lot of more like 200 vendors that need to map and the other one to monitor. So a practical plan is to decide who's the owner, have an updated mapping, I mentioned for the money, understand which are the critical and the impact the most suppliers, automated scan of course, security requirements are need to include in every RFP and a contract that you do with the supplies you have. So number three, two questions if you have, and before the end, I would like to thank you. And of course, again, the organizers, the co-organizers of business Munich and in particular Maximilian, but let me be here today. and

share my presentation with you. So cheers for now.