Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday presented by the Hewlett Foundation's Cyber Initiative. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Dave Bittner: [00:00:26] And now a moment to tell you about our sponsor, the Hewlett Foundation's Cyber Initiative. While government and industry focus on the latest cyber threats, we still need more institutions and individuals who take a longer view. They're the people who are helping to create the norms and policies that will keep us all safe in cyberspace. The Cyber Initiative supports a cyber policy field that offers thoughtful solutions to complex challenges for the benefit of societies around the world. Learn more at hewlett.org/cyber.
Dave Bittner: [00:00:56] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data - all without ever decrypting anything. All without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at enveil.com.
Rik Ferguson: [00:01:42] This was a discovery that we made towards the end of July. It looks like some of the earliest uses of the stolen certificates in this case may date all the way back to April of that year.
Dave Bittner: [00:01:53] That's Rik Ferguson. He's Vice President of Security Research at Trend Micro. The report we're discussing today is titled, "Supply Chain Attack Operation Red Signature Targets South Korean Organizations."
Rik Ferguson: [00:02:06] But it was certainly something that we discovered through our regular research, which we basically break out on a very regional basis. And in fact, we started looking at this before the first media reports surfaced in South Korea, by several days.
Dave Bittner: [00:02:20] So take us through - what did you discover here?
Rik Ferguson: [00:02:23] So, what we found was that a threat actor had been targeting the software supply chain for a couple of very specifically-chosen organizations in South Korea. Many of your listeners might be familiar with the NotPetya attacks that targeted organizations in the Ukraine, and if you bear in mind that sort of attack scenario, it has a lot of parallels with the situation in South Korea.
Rik Ferguson: [00:02:46] So, the attackers found a software solutions provider - remote support solutions, in fact - for the organizations that they actually wanted to target, and they went after the software update mechanisms for that remote support tool, and managed to inject malware into that remote support tool update mechanism. What was really interesting about it was - in the case of NotPetya, and this is the reason why the NotPetya attacks went really, truly global and caused hundreds of millions of dollars worth of damage, even to specific individual organizations, let alone as a global total - what was really interesting about the South Korean one is that the attackers were very careful to make sure that they put steps in place to target only the organizations that they wanted to target.
Dave Bittner: [00:03:31] Well, let's walk through it step-by-step here. Take us through what you discovered.
Rik Ferguson: [00:03:36] So, initially, what the attackers did was they managed to steal the code signing certificate from the support solutions provider. And what that meant they could do, is create their own malicious remote access tool, sign it with the legitimate code signing key, and then compromise the update server. And what they did when they compromised the update server, is they didn't simply dump their malware onto the central update server belonging to the solution provider - I guess what they were trying to do there was to avoid detection. If you dump your malware onto somebody else's server, you're really not going to be in control of when that malware is found and what gets done about it.
Rik Ferguson: [00:04:12] So, they ran their own parallel update server, but what they did was, on the update server belonging to the solution provider, they compromised, if you like, the initialization files, so that when organizations from a specific IP range - and that's what I was referring to when I said they were being very selective in their targets - when organizations from a specific IP range connected to download their regular update.zip file, they were redirected to the malicious update server, which went on to serve the first stage malware, which was a remote access tool.
Dave Bittner: [00:04:46] Hmm. And the organization that they compromised had no idea what was going on here?
Rik Ferguson: [00:04:51] Certainly at the time that the compromise took place, it appears that there was little to no idea that it had happened. The initial news reports that surfaced in Korean media were on - I'm just looking now - the 6th of August 2018.
Dave Bittner: [00:05:07] Hmm.
Rik Ferguson: [00:05:06] And from, you know, I did a quick Google Translate of that particular news story - my Korean is, well, rusty to nonexistent...
Dave Bittner: [00:05:13] (Laughs)
Rik Ferguson: [00:05:13] ...Let's say nonexistent. But certainly, from the quotes that are in that article, both the victim organizations and the compromised software provider had no idea at all, until after the event that this compromise had taken place. The Korean media story talks about two different organizations being affected.
Dave Bittner: [00:05:32] Can we just back up a little bit, just for - to explain for our listeners this notion of having the code signing certificates stolen. What would be a way that someone would do that, and then what does that enable them to do?
Rik Ferguson: [00:05:45] So, the way that you you will end up getting hold of a private key to sign software is you really are going to have to break into the key management systems of the organization in question. Obviously, the private key is, you know, the crown jewels when it comes to code signing. If you hold the private key, you're able to make any software you want look like it comes from the legitimate software publisher. And that's why it's so valuable.
Rik Ferguson: [00:06:09] It's certainly not the first time we've seen that tactic being deployed. It's been something which has been ongoing, actually, for many years. We've seen malicious or fake software being signed by stolen or leaked legitimate keys. But it's, I guess, a vulnerability which is part of the architecture of public-private key signing systems, that if you lose control of the private key, then really all bets are off as to the legitimacy of anything originating from that organization that purports to be signed by them.
Dave Bittner: [00:06:40] And if the key is stolen and is being used by the bad guys, there's no beacon or anything that says, hey, you know, someone else is using your key out here.
Rik Ferguson: [00:06:49] No, unless you discover, you know, through research like this, that your co-signing key is being misused, it's very unlikely that you're going to - unless you have a system in place to regularly rotate keys - it's very unlikely you're going to age those out, because you've got no reason to do so. And actually, you know, one of the problems that you will hear people - or one of the headaches that you will hear people talking about with public-private key encryption is key management. And very often, you know, it's of little to no interest to organizations to regularly age out their keys, because the overhead of making sure that everyone knows that the old key is no longer valid, and making sure that you've got the new key in place and that only the right people have access to that, really puts people off doing that.
Dave Bittner: [00:07:29] Hmm. Well, let's dig into this zip file that gets downloaded. What did you find in there?
Rik Ferguson: [00:07:35] So, in the original download, we found a remote access tool, which was called 9002 RAT, and that would execute immediately. It would register a DLL, and then go on to download further tools to the system - actually, quite a list of further tools for different purposes.
Dave Bittner: [00:07:55] So let's run through some of those tools. What did it reach out to grab, and what was the functionality it was trying to get?
Rik Ferguson: [00:08:02] So there were a bunch of tools that were designed for enumerating active directory objects and active directory information. So being able to conduct, if you like, an audit of the compromised organization. There were tools designed for dumping passwords from SQL databases. There was even a secondary remote access tool - a variant of the well-known PlugX remote access tool - and there was an exploit kit for IIS 6 server.
Rik Ferguson: [00:08:31] But yeah, basically more audit tools. So, being able to pull out passwords stored by browsers. Being able to pull out information relating to the compromised system itself, so the, for example, software versions and names of devices. So really being able to explore, build a complete audit, if you like, of the compromised organization, and then to move out further, laterally, across the network, and expand and persist in place.
Dave Bittner: [00:08:57] So, this activity, this reaching out for these additional files, is this - how were they hiding this? How was this not getting flagged by a typical antivirus installation, something like that?
Rik Ferguson: [00:09:10] So, what was the malicious files are doing are reaching out to command-and-control servers located around the world, and in the way that most malware does, to be honest, when there's a compromise within an organization, they will use ports and protocols that are in standard use throughout the organization. Very often you will see malware using SSL encryption to hide the contents of any transaction, but that traffic on the network will look just like any other Internet-facing traffic from anyone browsing the web, unless you're going to dig into it. But of course, if they're using SSL, digging into it becomes extremely problematic.
Dave Bittner: [00:09:45] So, one of the things that you pointed out in your research that you alluded to earlier, was how targeted they were with this. They're limiting the range of IP addresses that were targeted with this. It was also time-restricted as well. Can you take us through that?
Rik Ferguson: [00:10:01] That's right. So, yeah, as I said, it was certainly a specific range of IP addresses that were designed to be affected by the initial compromise. So, if organizations connected to the update server from companies that were not in the sights of the attackers, then they would simply be served with the regular uncontaminated update. So that was number one.
Rik Ferguson: [00:10:20] But also, it certainly, as you say, appears to have been extremely time-limited. It was set to go inactive in August and we saw the compromise - according to the dates in the files - the compromise itself didn't start, really, until 18th of July. So it was only for that last two-thirds, if you like, of the month of July, that the attackers were really interested in being active within those compromised networks.
Dave Bittner: [00:10:42] Is there any conclusions you can draw from that, in terms of what they were after, or why they would do such a thing?
Rik Ferguson: [00:10:49] It's very difficult to say what they were after, particularly, without going into data and information which may well be confidential for the compromised organization in question, but it's certainly good practice to - if you want to fly under the radar, you know, it's going to serve your interests to limit your activities as much as possible. The more noise you make, as an attacker, the more likely you are to be spotted and for your compromise to be mitigated.
Rik Ferguson: [00:11:16] It's really, you know, if you look at some of the bigger attacks in the past - and I referenced, for example, that NotPetya one because it bears so many similarities. One of the biggest problems for the attackers with NotPetya is that they didn't design any of that functionality into the attack, and it ended up making very, very global noise. Obviously, it wreaked havoc for many organizations, but it was designed to initially affect only organizations based in the Ukraine. It was targeted at a Ukrainian software provider, in that case, to do with filing tax returns. But if you look at any of the large organizations that went public afterwards and said, yeah, we were very badly affected by this, you'll find that all of them, bar none, had operations or offices in the Ukraine.
Rik Ferguson: [00:11:57] And it's that flattened network infrastructure on a global basis that basically made all of those collateral damage. And it's the noise that that creates that got that attack into the mainstream news media. You can actually, you know, you can totally bet that if this particular attack against South Korean organizations hadn't put those mitigations in place against collateral damage, this would have made as much noise as, you know, the WannaCrys or the NotPetyas of the world.
Dave Bittner: [00:12:24] Can you share with us any insights onto what is the cleanup process for something like this? An organization like yours discovers this, you're working with a client to help them mitigate this sort of thing - not necessarily digging into the details of this, but more generally, what's the process by which you go about fixing a problem like this?
Rik Ferguson: [00:12:45] Well, I guess you have a couple of options. One of the things that you will have noted that we published is all of the IoCs, all the indicators of compromise related to this. You could go through, manually managing the triage search for all of these IoCs in the infected systems and manually back out those changes or clean up the systems. The problem with doing that is you're never going to be quite sure if you found all of them, you're never going to be quite sure if you investigated every system, and you're never going to be quite sure if all of the backouts and cleanups and changes that you manually made actually remediated the problem.
Rik Ferguson: [00:13:16] Again, it's the scorched-earth policy at the other end of the scale, which simply would say, okay, we know this machine has been compromised, we're simply going to blow it away and replace it with, hopefully, with a backup that predates the infection. That's going to be the scorched earth and really quick way to do it. And really, it speaks volumes about the need for detection and response, whether that's on-premise or a managed detection and response system, that will allow you to, you know, if you like, take snapshots along the way of your infrastructure and your estate, and it will allow you to - once a compromise such as this has been discovered - it will allow you to walk back through time, using this list of IoCs, find out, obviously, all of the compromised machines.
Rik Ferguson: [00:13:59] Also, it will - and this is probably the real power of this - allow you to find, if you like, patient zero, and find out by what means this compromise got into your system - in this case, we know it was through a malicious update file that was targeted at the organization, but of course, that's not always the case - and allow you to do that root cause analysis and mitigate whatever vulnerability was exploited to get into the organization in the first place.
Dave Bittner: [00:14:24] Now, what about the mitigation of these sorts of supply chain attacks? I mean, I think this - that people are obviously very concerned about this. The ability for folks to get into my organization based on the organizations that I am doing business with on a day-to-day basis. What's your advice for organizations to get on top of this, to protect themselves against potential attacks from what they consider to be trusted partners?
Rik Ferguson: [00:14:49] That's right. I mean, supply chain attacks are becoming increasingly common now. Certainly in the case of very targeted attacks like this. If you're going after a larger organization, they probably have more budget, they probably have, you know, more human resources to pile into their security initiatives. But if you're looking at the smaller third-party organizations that they subcontract to, or that they do business with, or they outsource to - that's going to be your easiest route into an organization that's actually got security high on their agenda.
Rik Ferguson: [00:15:20] Interestingly, I was hosting a panel at the CLOUDSEC conference in London, and it was a panel of law enforcement professionals, and it was called "Inside the Mind of the Cybercriminal." And I asked a question about the Target attacks, because that was another, you know, supply chain attack. It was - I'm sure you remember the heating, ventilation, air conditioning provider...
Dave Bittner: [00:15:40] Right.
Rik Ferguson: [00:15:41] ...That was compromised in the first instance, and it was kind of an island hopping attack that went through their systems into Target, and resulted in hundreds of millions of credit card details being stolen. And I said - I asked the panel, how common is that, and do you think that that particular example - the Target one - was the case of well-executed research, or was it happenstance? You know, did it just happen because someone compromised the HVAC provider? And it was actually one of the panelists from the FBI who said to me, I can tell you through personal involvement that it was absolutely coincidental and opportunistic.
Rik Ferguson: [00:16:15] Which kind of goes against a lot of the things that you will have heard industrial commentators saying since then. But that's, you know, from the horse's mouth. So the story according to this FBI agent who was on the panel, is that attackers had happened to compromise this air conditioning provider, looked at what they got, and said, oh my word, this is interesting, now we can go after Target - instead of deliberately going after this this air conditioning provider to get to Target.
Rik Ferguson: [00:16:41] And what that says to me is that you really do have to make sure that - when you subcontract to organizations, or buy services from organizations, or develop joint offerings, whatever it may be - that you put metrics in place, and that you put key performance indicators in place that ensure that their security is being raised up to your levels, not that you are lowering your perimeter in their direction to allow them to have access. If they want your business, if they want to do business with you, they must meet your requirements. You don't have to simplify things or make things easier for them. And that's really the number one thing.
Rik Ferguson: [00:17:16] So, ensure that that organization's own online estate, if you like, matches your security controls. And you've got to be able to audit them, in terms of authentication. You know, how are people gaining access to their network and to their network properties? How, for example, are they keeping up to date with patching within their organizations? And those third parties should have a vested interest in making that documented audited information available to you, because, in effect, you know, they want your business, and this is what they have to do to to gain it.
Rik Ferguson: [00:17:46] I was part of a research project called Project 2020 with Europol, which is kind of the EU equivalent or assistant body to Interpol. And we were looking at how will technology look in the future, how will security look in the future, and came up with, you know, a whole bunch of predictions around technology, and what the threat landscape would look like, and how attackers would be acting.
Rik Ferguson: [00:18:09] One of the things that sticks in my mind in this particular case, when we talk about third parties, is we talked about having a security metric, if you like. Being able to apply a security score to an organization. And I think one of the places that really would be driven from would be the insurance industry - that would be the cyber insurance industry, anyway - being really interested in being able to benchmark an organization, and saying, if you meet, whatever, a three on our scale, your premiums will be X, but if you meet a four on our scale, your premiums are going to be significantly higher than X. And it will drive up that security hygiene. The byproduct of that will be that organizations will then be able to use a metric of that nature to select the partners with whom they're going to do business.
Dave Bittner: [00:18:52] Yeah, and it strikes me that it could be a differentiating factor. If you're an organization that's on top of things, you can go out and brag about that and say, look, we're compliant with this standard and we're proud to share these audits with you.
Rik Ferguson: [00:19:06] And it absolutely works. I mean, there's a great allegory in the food industry. I'm not sure how it works in the US, but in - with anywhere in Europe, you walk up to a restaurant, or a takeaway place, whatever it might be, and you will see that food hygiene score out of five stars in the window or on the door. Every premises is obliged to display that. And if you walk up to a window and you're only going to see two stars on there, it's highly unlikely you're going to go and grab a burger from that particular...
Dave Bittner: [00:19:31] (Laughs)
Rik Ferguson: [00:19:31] ...From that particular establishment. You're going to walk down the road till you find a four or five star place and be happier there. And the same thing can be applied to the security scores.
Rik Ferguson: [00:19:40] Actually, we extrapolated out from there, and we said you could even see this being applied on a national basis. So, in the same way that we have organizations like Moody's, for example, applying Triple-A credit ratings, and then, you know, when the economy gets a bit shaky they'll knock a couple of A's off. We could have the same thing on a security basis. You know, you've got a Triple-A security rating, that's the kind of country that you're going to be happy putting your data center in, or building key services in, or exporting data to and from. So, it's something that really scales up as well.
Dave Bittner: [00:20:14] Yeah, it's interesting. I mean, I think about our own State Department issuing travel advisories. You know, that sort of thing - almost a weather report on, you know, this is what's going on now. I could certainly see that type of thing being applied to the cyber domain.
Rik Ferguson: [00:20:29] And, you know, the other thing that - you know, you were asking about what do organizations do - the other stuff unfortunately, is about security basics. And I say unfortunately because it means that people are still failing on those basics.
Rik Ferguson: [00:20:41] Often, when I'm presenting at events, I'll get delegates approaching me and saying, how come you're still talking about basics in your presentations? I really enjoyed it, but you're still, you know, I want to hear about what was the most complex, sexiest attack that you came across in the last six months, or tell me about the, you know, the most fantastic zero-day exploit or vulnerability that you've come across.
Rik Ferguson: [00:21:01] And while that stuff is interesting on a technical level, it's actually not very useful on a security and protection level, because organizations are consistently failing at getting security basics right, and attackers are not going to innovate and do new things, and think of new ways to break into your organization, unless you force them to. They will do the bare minimum necessary to break into your organization. So it's things like - when I say basics, I mean things like need-to-know principle. You know, restricting data within the organization so that only people who need to have access to that data in order to be able to do their job get access to that data. It's a basic security principle.
Rik Ferguson: [00:21:40] Another one is the principle of least privilege. You may need to have access to a certain data item to do your job, but do you only need to be able to read that data? If so, that's the only kind of access you should have. You shouldn't be able to write to that data or modify that data. I mentioned in the case of NotPetya, flat network structures. Unsegmented networks are a massive pitfall in security and a massive invitation to an attacker to basically stroll at will through your network infrastructure, dropping backdoors and other ways in along the way. So people have to learn to effectively segment networks.
Rik Ferguson: [00:22:14] And again, that's security basics. It's not a new idea. It's something that's been around for a long time. And those principles of least privilege also apply not just to data, but also to things like administration tools and access to applications - so application control, in effect. You know, who is able to execute which files, in which context? And if you've got tools within your system that you never use, then make sure they're gone. Make sure that you get rid of them. Look at the, you know, the tools that were used by NotPetya. They were standard Windows administration tools, but they were massively abused, to great effect, to spread malware throughout the organization
Dave Bittner: [00:22:53] Our thanks to Rik Ferguson from Trend Micro for joining us. The research is titled "Supply Chain Attack Operation Red Signature Targets South Korean Organizations." You can find it on the Trend Micro website. We'll have a link in the show notes.
Dave Bittner: [00:23:07] Thanks to the Hewlett Foundation's Cyber Initiative for sponsoring our show. You can learn more about them at hewlett.org/cyber. And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at enveil.com. The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben. Editor is John Petrik. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.