Weakest link: The supply chain backdoor AD attacks
Cyberthreats stemming from the subcontracting chain represent a new major risk to businesses and government agencies.
Looking at the attack models used in 2018 and 2019, cyberattacks exploiting the subcontracting chain doubled in 2019 over the previous year. This is a major development in the operational models of hacker groups: instead of going directly at the target, threat agents operate by first infecting a direct or indirect supplier of the intended victim.
What categories of attacks threaten
the subcontracting chain?
We can divide attacks that exploit the subcontracting chain into three major categories:
- A traditional programmed attack using the subcontractor as the vector to carry out its first stage: The attack against the company Target is one such example that manipulated the Information System of a subcontractor, Fazio Mechanical Services, infected earlier by a phishing scam that installed a Trojan. Because that subcontractor performed surveillance and correction actions on Target’s systems, the infection spread rapidly.
- Targeted attack via injection of malicious code: The ShadowHammer attack that went after clients of the company ASUS is a good example. The attackers first were able to inject malicious code into the ASUS Live Update utility. When this utility was updated from the machines.
of ASUS customers, a backdoor was installed on tens of thousands of PCs. For this type of attack, the code is targeted and the action is meticulous.
From the attacker’s viewpoint, there are two big advantages to exploiting the subcontracting chain:
- The attacker will be able to use the subcontractor’s reputation and image to gain as much indirect access as possible. The better the subcontractor’s reputation, the more highly prized it is as a point of attack.
- The attacker will be able to exploit the subcontractor’s technical distribution mechanisms to spread its intrusion tools (malware, malicious code, etc.) to a large population without them knowing. For instance, the attacker might use a patch management tool run by the subcontractor to deploy its code far and wid
As indirect attacks that exploit the subcontracting chain proliferate worldwide, governments are implementing defense plans tailored to this new threat.
This new type of attack is proliferating exponentially, with most government agencies tasked with national cybersecurity creating special content to help their critical departments.
In the US, the Department of Homeland Security (DHS) has formed a workgroup called the Information and Communications Technology (ICT) Supply Chain Risk Management Task Force (SCRM) with the goal of studying subcontractor attack mechanisms and providing a compendium of best practices for service providers. Additionally, American companies can use this framework to assess how reliable their own subcontractors are. A description of this work can be found here.
In France, ANSSI has been working on this issue for months and has created a document describing the findings of its investigations, ‘‘SUPPLY CHAIN ATTACKS – THREATS TARGETING SERVICE PROVIDERS AND DESIGN OFFICES,’’ which can be viewed here. ANSSI further suggests enacting a security assurance plan (SAP) when choosing a subcontractor.
On May 15, 2019, the White House issued an executive order listing subcontractors that are prohibited from engaging in activities considered of vital importance to the country. The Secretary of Commerce is responsible for selecting or removing suppliers, particularly foreign ones, which are deemed non-compliant with the stated security rules. The company Huawei is on the list of banned suppliers.
A look back at the attack
against a major American retailer
The facts provided here are based on actual events, derived from information collected through several post-mortem studies.
Sequence of the attack and procedure
- Reconnaissance phase: The attackers searched on Google to identify their target’s subcontractors and learn about how they worked together. A subcontractor responsible for the air conditioning system was targeted.
- September: The attackers compromised the subcontractor via an email containing malware. The malware was said to be a derivative of Citadel code for capturing passwords used on the machine. The malware then collected a password to log in to the subcontractor access portal.
- November 15: The attackers infected the target’s network and tested lateral movement on the payment terminals. The attackers continued the internal reconnaissance phase using relatively basic tools, knowing that they could use Active Directory to carry out lateral movement and large-scale escalation.
- November 27: The attackers started collecting information about payment cards via the malware installed on the payment terminals. Additionally, the attackers found an unpatched, misconfigured Active Directory domain controller, allowing them to scale the infection of the payment terminals.
- November 30: Nearly all payment terminals were now infected. The attackers used the patch management tools of the target itself, namely SCCM, to widely disseminate their malware. This malware had custom code that could not be detected by the target’s antivirus software.
- December 2: The collected data was retrieved from the machines’ memories, stored in a DLL, then transferred to a shared network created for the occasion using ports 139, 443, and 80. The data was then exfiltrated via FTP. Via network monitoring tools, the India-based SOC detected suspicious movements. An alert was reported, but no action was taken, as the teams believed it to be a false positive.
- December12:The stolen data was sold on the black market. The U.S. Department of Justice was notified of the breach. The target triggered a remediation plan, but most of the data had already been exfiltrated.
- December 15: In three days, the target had cleaned nearly all the machines, but the damage was done.
Conclusions for your organization:
- Basic Google searches turned up information about the target’s IT environment – the reconnaissance phase was disturbingly easy.
- The weakest link was not in the target, but in the subcontractor. A subcontractor used for air conditioner maintenance was the gateway to infiltrate the network’s target.
- The attackers used Active Directory to execute lateral movement and escalate privileges in order to quickly execute a large attack.
- The in-house teams detected suspicious data movements but did not realize it was an attack, believing it to be a false positive.
- Excluding the reconnaissance phase, the attack phase itself took only four months.
- It is important to regularly check public search engines to assess your exposure regarding confidential IT information.
- You must have an active plan to evaluate your subcontractors, both when a contract begins and for as long as it lasts – and that evaluation plan must be regularly audited.
- Active Directory is a systemic dissemination vector in more than 80% of attacks executed by a threat agent or automated malware. Make sure your organizations have configured Active Directory correctly to control this systemic risk.
- All weak signals collected must be considered, and your SOC teams must be trained continually on new attack models.
- Based on the attacker’s experience, targeted intrusions can be extremely short and intense, lasting months or even weeks. You need to ensure that you have the full arsenal of dissuasion, detection, and response before they happen to you.
What are the most important things to watch for in the subcontractor chain?
The diagram below depicts a simplified view of the subcontracting chain, with the key items to monitor and which constitute the minimum you should implement in your extended Information System:
- Key point #1: You need to work with your subcontractor to check how it stores the information needed to log in to your own Information System. Additionally, it is necessary to check how that information is accessed.
- Key point #2: You must require that your subcontractor conduct an Active Directory compliance audit.
- Key point #3: You must implement multifactor authentication (MFA) on the entry point to your Information System. Password authentication alone is not enough. Additionally, it is necessary to track all login information, such as by using a SIEM.
- Keypoint #4: You must implement a monitoring and remediation plan for your Active Directory configuration. If your subcontractor does get infected and the compromise hits your own Information System, the mass infection will use your Active Directory’s configuration weaknesses and vulnerabilities.
- Keypoint #5: You must check that your back up process is working and that you are able to restore your most important data. This includes the backups of your Active Directory, files, and databases. Verifying that emails are backed up properly should occur during a restoration plan if they contain strategic information for your business.
The reality is that the reliability of a subcontracting chain that includes a series of organizations is only as strong as its weakest link. The necessary measures should be taken to assess the security level of all subcontractors that can access your Information System. Additionally, login and access methods may vary greatly, via a VPN, a PC (regardless if managed by the organization), using various protocols, etc. The choice of tools and protocols may prove strategic in reducing overall risk. It is therefore extremely important to include your subcontracting chain in your regular compliance checks and to get all stakeholders involved in your security strategy. You must consider your subcontractors as an extension of your Information System and must treat them as such. As always, it is important to fully assess risk and take the appropriate measures to protect yourself and withstand attacks. You can dive deeper into these strategies at Alsid.Our solutions