CyberWire Daily - Operation Red Signature targets South Korean supply chain. [Research Saturday]
Episode Date: December 8, 2018Researchers at Trend Micro uncovered a supply chain attack targeting organizations in South Korea. With the goal of information theft, attackers compromised the update server of a third party support ...provider, resulting in the installation of a RAT, or remote access trojan. Rik Ferguson is Vice President of Security Research at Trend Micro, and he guides us through their discoveries. The research can be found here: https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/ Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making
apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps,
not the entire network, continuously verifying every request based on identity and context.
Simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
This was a discovery that we made towards the end of July. It looks like some of the earliest
uses of the stolen certificates in this case may date all the way back to April of that year.
That's Rick Ferguson. He's vice president of security research at Trend Micro.
The report we're discussing today is titled Supply Chain Attack Operation Red Signature Targets South Korean Organizations.
But it was certainly something that we discovered through our regular research, which we basically break out on a very regional basis.
And in fact, we started looking at this before the first media reports surfaced in South Korea by several days.
So take us through what did you discover here?
So what we found was that a threat actor had been targeting the software supply chain for a couple of very specifically chosen organizations
in South Korea. Many of your listeners might be familiar with the NotPetya attacks that targeted
organizations in the Ukraine. And if you bear in mind that sort of attack scenario, it has a lot of
parallels with this situation in South Korea. So the attackers found a software solutions provider,
remote support solutions, in fact, for the organizations that they actually wanted to target.
And they went after the software update mechanisms for that remote support tool and managed to inject malware into that remote support tool update mechanism. interesting about it was in the case of NotPetya, and this is the reason why the NotPetya attacks
went really truly global and caused hundreds of millions of dollars worth of damage, even to
specific individual organizations, let alone as a global total. What was really interesting about
the South Korean one is that the attackers were very careful to make sure that they put steps in
place to target only the organizations that they wanted to target. Well, let's walk through it step by step here. Take us through what you discovered.
So initially what the attackers did was they managed to steal the code signing certificate
from the support solutions provider. And what that meant they could do is create their own
malicious remote access tool, sign it with the legitimate code signing key, and then
compromise the update server. And what they did when they compromised the update server is they
didn't simply dump their malware onto the central update server belonging to the solution provider.
I guess what they were trying to do there was to avoid detection. If you dump your malware
onto somebody else's server, you're really not going to be in control of when that malware is found and what gets done about it. So they ran their own parallel update server. But what they
did was on the update server belonging to the solution provider, they compromised, if you like,
the initialization file so that when organizations from a specific IP range, and that's what I was
referring to when I said they were being very selective in their targets. When organizations from a specific IP range connected to download their regular update.zip
file, they were redirected to the malicious update server, which went on to serve the first stage
malware, which was a remote access tool. And the organization that they compromised
had no idea what was going on here?
Certainly at the time of the compromise took place, it appears that there was little to no idea that it had happened.
The initial news reports that surfaced in Korean media were on, I'm just looking now, the 6th of August 2018.
And from, you know, I did a quick Google translate of that particular news story.
My Korean is, well, rusty to non-existent, let's say non-existent. But certainly from the quotes
that are in that article, both the victim organizations and the compromised software
provider had no idea at all until after the event that this compromise had taken place.
The Korean media story talks about two different organizations being affected.
Can we just back up a little bit
just to explain for our listeners
this notion of having the code signing certificate stolen?
What would be a way that someone would do that?
And then what does that enable them to do?
So the way that you will end up getting hold
of a private key to sign software
is you really are going to have to break into the key management systems of the organization in question. Obviously,
the private key is the crown jewels when it comes to code signing. If you hold the private key,
you're able to make any software you want look like it comes from the legitimate software
publisher. And that's why it's so valuable. It's certainly not the first
time we've seen that tactic being deployed. It's been something which has been ongoing,
actually, for many years. We've seen malicious or fake software being signed by stolen or leaked
legitimate keys. But it's, I guess, a vulnerability which is part of the architecture of public-private
key signing systems that if you lose control of the private key,
then really all bets are off
as to the legitimacy of anything originating
from that organization that purports to be signed by them.
And if the key is stolen and is being used by the bad guys,
there's no beacon or anything that says,
hey, someone else is using your key out here.
No, and unless you discover through research like this that your code signing key is being misused,
it's very unlikely that you're going to, unless you have a system in place to regularly rotate keys,
it's very unlikely you're going to age those out because you've got no reason to do so.
And actually, one of the problems that you will hear people,
or one of the headaches that you will hear people talking about with public-private key encryption is key management. And very often, you know, it's of little to no
interest to organizations to regularly age out their keys because the overhead of making sure
that everyone knows that the old key is no longer valid and making sure that you've got the new key
in place and that only the right people have access to that really puts people off doing that.
Well, let's dig into this zip file that gets downloaded. What did you find in there?
So in the original download, we found a remote access tool, which was called 9002 RAT. And that
would execute immediately. It would register a DLL and then go on to download further tools
to the system,
actually quite a list of further tools for different purposes.
So let's run through some of those tools.
What did it reach out to grab and what was the functionality it was trying to get?
So there were a bunch of tools that were designed for enumerating Active Directory objects
and Active Directory information.
So being able to conduct, if you like, an audit
of the compromised organization. There were tools designed for dumping passwords from SQL databases.
There was even a secondary remote access tool, a variant of the well-known PlugX remote access tool.
And there was an exploit kit for IIS 6 server. Yeah, basically more audit tools. So
being able to pull out passwords stored by browsers, being able to pull out information
relating to the compromised system itself. So the, for example, software versions and names
of devices. So really being able to explore, build a complete audit, if you like, of the compromised organization, and then to move out further laterally across the network and expand and persist in place.
So this activity, this reaching out for these additional files, how were they hiding this?
How was this not getting flagged by a typical antivirus installation, something like that?
a typical antivirus installation, something like that?
So what the malicious files are doing are reaching out to command and control servers
located around the world.
And in the way that most malware does, to be honest,
when there's a compromise within an organization,
they will use ports and protocols
that are in standard use throughout the organization.
Very often you will see malware using SSL encryption
to hide the contents of any
transaction. But that traffic on the network will look just like any other internet-facing traffic
from anyone browsing the web, unless you're going to dig into it. But of course, if they're using
SSL, digging into it becomes extremely problematic. So one of the things that you pointed out in your
research that you alluded to earlier was how targeted they were with this.
Sort of limiting the range of IP addresses that were targeted with this.
It was also time restricted as well.
Can you take us through that?
That's right.
So, as I said, it was certainly a specific range of IP addresses that were designed to be affected by the initial compromise.
be affected by the initial compromise. So if organizations connected to the update server from companies that were not in the sights of the attackers, then they would simply be served with
the regular uncontaminated update. So that was number one. But also, it certainly, as you say,
appears to have been extremely time limited. It was set to go inactive in August. And we saw the
compromise, according to the dates in the files, the compromise itself didn't start really until 18th of July. So it was only for that last two thirds, if you like,
of the month of July, that the attackers were really interested in being active within those
compromise networks. Is there any conclusions you can draw from that in terms of what they were
after, why they would do such a thing? It's very difficult to say what they were after, why they would do such a thing? It's very difficult to say what they were after,
particularly without going into data and information,
which may well be confidential for the compromised organization in question.
But it's certainly good practice to, if you want to fly under the radar,
it's going to serve your interests to limit your activities as much as possible.
The more noise you make as an attacker, the more likely you are to be spotted and for your compromise to be mitigated.
It's really, you know, if you look at some of the bigger attacks in the past, and I referenced,
for example, that NotPetya one because it bears so many similarities. One of the biggest problems
for the attackers with NotPetya is that they didn't design any of that functionality into
the attack. And it ended up making very, very global noise.
Obviously, it wreaked havoc for many organizations.
But it was designed to initially affect only organizations based in the Ukraine.
It was targeted at a Ukrainian software provider, in that case, to do with filing tax returns.
But if you look at any of the large organizations that kind of went public afterwards and said,
yeah, we were very badly affected by this, you'll find that all of them, bar none, had operations or offices in the Ukraine.
And it's that flattened network infrastructure on a global basis that basically made all of those collateral damage.
And it's the noise that that creates that got that attack into mainstream news media. You can totally bet that if this particular attack
against South Korean organizations hadn't put those mitigations in place against collateral damage,
this would have made as much noise as the WannaCry or NotPetyas of the world.
Can you share with us any insights on to what is the cleanup process for something like this?
An organization like yours
discovers this, you're working with a client to help them mitigate this sort of thing. Not
necessarily digging into the details of this, but more generally, what's the process by which you
go about fixing a problem like this? Well, I guess you have a couple of options. One of the things
that you will have noted that we published is all of the IOCs, all the indicators of compromise related to this. You could go through manually,
manually do the triage search for all of these IOCs, find the infected systems and manually back
out those changes or clean up the systems. The problem with doing that is you're never going to
be quite sure if you found all of them. You're never going to be quite sure if you investigated
every system and you're never going to be quite sure if you found all of them. You're never going to be quite sure if you investigated every system.
And you're never going to be quite sure if all of the backouts and cleanups and changes that you manually made actually remediated the problem.
I guess the scorched earth policy at the other end of the scale would simply say,
okay, we know this machine has been compromised.
We're simply going to blow it away and replace it with, hopefully, with a backup
that predates the infection.
That's going to be the scorched earth and really quick way to do it. And really, it speaks volumes about the need for detection and response, whether that's
on-premise or a managed detection and response system that will allow you to, if you like,
take snapshots along the way of your infrastructure and your estate. And it will allow you to,
once a compromise such as this has been discovered, it will allow you to, once a compromise such as this has been
discovered, it will allow you to walk back through time using this list of IOCs, find out obviously
all of the compromised machines. Also, it will, this is probably the real power of this, allow you
to find, if you like, patient zero and find out by what means this compromise got into your system.
In this case, we know it was through a malicious update
file that was targeted at the organization, but of course, that's not always the case.
And allow you to do that root cause analysis and mitigate whatever vulnerability was exploited
to get into the organization in the first place. Now, what about the mitigation of these sorts of
supply chain attacks? I mean, I think people are obviously very concerned about this.
The ability for folks to get into my organization
based on the organizations
that I am doing business with on a day-to-day basis.
What's your advice for organizations
to get on top of this,
to protect themselves against potential attacks
from what they consider to be trusted partners?
That's right.
I mean, supply chain attacks are becoming increasingly common now.
Certainly in the case of very targeted attacks like this, if you're going after a larger
organization, they probably have more budget. They probably have more human resources to pile
into their security initiatives. But if you're looking at the smaller third-party organizations
that they subcontract to
or that they do business with or they outsource to, that's going to be your easiest route into
an organization that's actually got security high on their agenda. Interestingly, I was hosting a
panel at the CloudSec conference in London, and it was a panel of law enforcement professionals,
and it was called Inside the Mind of the Cybercriminal. And I asked a question about the Target attacks, because that was another supply chain attack. It
was, I'm sure you remember the heating, ventilation, air conditioning provider that was compromised in
the first instance. And it was kind of an island hopping attack that went through their systems
into Target and resulted in hundreds of millions of credit card details being stolen.
target and resulted in hundreds of millions of credit card details being stolen. And I said,
I asked the panel, how common is that? And do you think that that particular example,
the target one, was the case of well-executed research or was it happenstance? Did it just happen because someone compromised the HVAC provider? And it was actually one of the
panelists from the FBI who said to me, I can tell you through personal involvement that it was absolutely coincidental and opportunistic, which kind
of goes against a lot of the things that you will have heard industrial commentators saying
since then.
But that's from the horse's mouth.
So the story, according to this FBI agent who was on the panel, is that attackers had
happened to compromise this air conditioning provider, looked at what
they got and said, on my word, this is interesting. Now we can go after the target instead of
deliberately going after this air conditioning provider to get to target. And what that says
to me is that you really do have to make sure that when you subcontract to organizations or
buy services from organizations or develop joint offerings, whatever it may be, that you put metrics in place and that you put key performance indicators in place that ensure that their security is being raised up to your levels.
Not that you are lowering your perimeter in their direction to allow them to have access.
If they want your business, if they want to do business with you, they must meet your requirements. You don't have to simplify things or make things easier for them. And that's really
the number one thing. So ensure that that organization's own online estate, if you like,
matches your security controls. And you've got to be able to audit them in terms of
authentication. How are people gaining access to their network and to their network properties?
How, for example, are they keeping up to date with patching within their organizations?
And those third parties should have a vested interest in making that documented audited
information available to you because in effect, you know, they want your business and this is
what they have to do to gain it. I was part of a research project called Project 2020 with Europol, which is kind of the
EU equivalent or sister body to Interpol. And we were looking at how will technology look in the
future? How will security look in the future? And come up with a whole bunch of predictions around
technology and what the threat landscape would look like and how attackers would be acting.
One of the things that sticks in my mind in this particular case, when we talk about third parties, is we talked about having a
security metric, if you like, being able to apply a security score to an organization. And I think
one of the places that really will be driven from will be the insurance industry. There will be
the cyber insurance industry anyway. It'd be really interested in being able to benchmark an organization and say,
if you meet whatever, a three on our scale, your premiums will be X.
But if you meet a four on our scale,
your premiums are going to be significantly higher than X.
And it will drive up that security hygiene.
The byproduct of that will be the organizations will then be able to use a metric of that nature
to select the partners with whom they're going to do business. Yeah. And it strikes me that it could be a differentiating factor. If you're
an organization that's on top of things, you can go out and brag about that and say, look,
we're compliant with this standard and we're proud to share these audits with you.
And it absolutely works. I mean, there's a great allegory in the food industry. I'm not sure how it works in the US, but anywhere in Europe, you walk up to a restaurant or a takeaway place, whatever it might be, and you will see their food hygiene score out of five stars in the window or on the door. Every premises is obliged to display that.
up to a window and you're only going to see two stars on there, it's highly unlikely you're going to go and grab a burger from that particular establishment. You're going to walk down the
road until you find a four or five star place and be happier there. And the same thing can be
applied to the security scores. Actually, we extrapolated out from there and we said,
you could even see this being applied on a national basis. So in the same way that we
have organizations like Moody's for example applying uh triple a
credit ratings or and then you know when the economy gets a bit shaky they'll knock a couple
of a's off we could have the same thing on a security basis you know you've got a triple a
security rating that's the kind of country that you're going to be happy putting your data center
in or building key services in or exporting data to and from.
So it's something that really scales up as well.
Yeah, it's interesting. I mean, I think about our own State Department issuing travel advisories,
you know, that sort of thing, almost a weather report on, you know, this is what's going on now.
I could certainly see that type of thing being applied to the cyber domain.
And, you know, the other thing that the other thing that you were asking about,
what do organizations have to do?
The other stuff, unfortunately, is about security basics.
And I say unfortunately because it means that people are still failing on those basics.
Often when I'm presenting at events, I'll get delegates approach me and saying,
how come you're still talking about basics in your presentation?
I really enjoyed it, but I want to hear about what was the most complex, sexiest attack that you came across in the last six months, or
tell me about the most fantastic zero-day exploit or vulnerability that you've come across.
And while that stuff is interesting on a technical level, it's actually not very useful on a security
and protection level because organizations are consistently failing at getting security
basics right. And attackers are not going to innovate and do new things and think of new
ways to break into your organization unless you force them to. They will do the bare minimum
necessary to break into your organization. So it's things like, when I say basics, I mean things like
need-to-know principle, restricting data within the organization
so that only people who need to have access to that data in order to be able to do their
job get access to that data.
It's a basic security principle.
Another one is the principle of least privilege.
You may need to have access to a certain data item to do your job, but do you only need
to be able to read that data?
So if so, that's the only kind of access you should have.
You shouldn't be able to write to that data or modify that data.
I mentioned in the case of NotPetya, flat network structures.
Unsegmented networks are a massive pitfall in security
and a massive invitation to an attacker
to basically stroll at will through your network infrastructure,
dropping back doors and other ways in along the way.
So people have to learn to effectively segment networks. And again, that's security
basics. It's not a new idea. It's something that's been around for a long time. And those
principles of least privilege also apply not just to data, but also to things like administration
tools and access to applications or application control, effect. You know, who is able to execute which files in which context.
And if you've got tools within your system that you never use,
then make sure they're gone.
Make sure that you get rid of them.
Look at the, you know, the tools that were used by NotPetya.
They were standards, Windows administration tools,
but they were massively abused to great effect
to spread malware throughout the organization.
news to great effect to spread malware throughout the organization.
Our thanks to Rick Ferguson from Trend Micro for joining us.
The research is titled Supply Chain Attack Operation Red Signature Targets South Korean Organizations.
You can find it on the Trend Micro website.
We'll have a link in the show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
The CyberWire Research Saturday is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash,
Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. Thank you.