Clandestine hunter: two strategies for supply chain attack

Byeongjae Kim (Korea Internet & Security Agency), Taewoo Lee (Korea Internet & Security Agency), Sojun Ryu (Korea Internet & Security Agency) & Dongwook Kim (Korea Internet & Security Agency)
partner message

ANY.RUN - Interactive malware analysis sandbox

http://any.run/

Get fast results in real-time! Intuitive interface. Convenient for any level analysts.

Join for free and start your malware hunting!

partner message

Avira Cloud Sandbox API. Completely private, unlimited-scale, automated malware analysis service

https://oem.avira.com/en/solutions/cloud-sandbox-api

Avira’s Cloud Sandbox API is built to ensure data privacy.

Receive detailed, file-specific threat intelligence reports containing actionable intelligence.

Supports MITRE ATT&CK™ framework.

partner message

Do APT Mercenary Groups Pose Real Threat to Companies?

https://businessresources.bitdefender.com/apt-as-a-service-webinar

Learn about the recent Bitdefender investigation of a new attack attributed to a sophisticated actor offering advanced-persistent-threats-as-a-service.

Access the investigation

partner message

Be a part of the cyber resilience story - explore careers at

https://careers.opentext.com/

Join the cybersecurity and data protection team at Carbonite + Webroot, OpenText companies.

partner message

We don’t just talk about sharing. We do it every day

https://www.cyberthreatalliance.org/our-sharing-model/

Find out more about how threat intelligence sharing and collaboration through the Cyber Threat Alliance can function as a force multiplier to improve defenses across the ecosystem.

partner message

Map Malicious Infrastructures with Pure Signal™ Intelligence

https://partners.team-cymru.com/pure-signal-trial

Elite analyst teams use Team Cymru’s Pure Signal platform to access 50+ data types, including global network flow, PDNS, malware and more.

Start your 2-week trial now!

partner message

What is cyber threat intelligence (CTI) and how is it used?

Join the VB2020 Threat Intelligence Practitioners’ Summit (TIPS)

Join the VB2020 Threat Intelligence Practitioners’ Summit, sponsored by the Cyber Threat Alliance,

to hear from leading industry voices on how CTI sharing can function as a force multiplier to strengthen defenses across the ecosystem.

partner message

Kaspersky Threat Intelligence Portal - find cyberthreats in files, URLs, IPs and domains

https://opentip.kaspersky.com/

Know which alerts or incidents pose real threats, and prioritize them fast and effectively based on impact and risk levels.

partner message

No-Cost Threat Detection for ISPs and Hosting Providers

https://partners.team-cymru.com/nimbus-threat-monitor

Partner with Team Cymru and get near-real-time threat detection, powered by our world-class IP Reputation data.

Join us now!

partner message

Outsource your Unwanted Software/PUA Work for Free

https://appesteem.com/avs

AppEsteem’s feeds sort out the good apps from the Deceptors.

Our criteria are widely accepted. We’ll help with your disputes.

All for Free. Giving you more time to fight real malware.

partner message

Do you want to know how IT security products score in independent tests?

https://www.av-comparatives.org/enterprise/latest-tests/

AV-Comparatives is an ISO certified independent organization offering systematic testing that checks whether security software lives up to its promises.

Results are available for free!

partner message

Defeating Application Fraud - Learn How

https://www.shapesecurity.com/solutions

We protect more accounts from fraud than everyone else in the world combined.

Shape Security is now part of F5 (www.f5.com)

partner message

30+ years of experience in the anti-malware industry

www.virusbulletin.com

Virus Bulletin is so much more than just a great conference.

Check out our website to see what more we have to offer.

partner message

DNSDB®: The DNS Super Power for Security Teams

https://www.farsightsecurity.com/get-started-guide/

Farsight Security DNSDB®: the world's largest real-time and historical database of DNS resolutions.

Get your free DNSDB API key and use it in our newly updated web GUI, DNSDB Scout and your own environments.

Contextualize everything DNS related with one API key - DNSDB.

partner message

Tired of home office and in urgent need of some networking?

https://www.amtso.org/newsletter/

Join the AMTSO community and meet security vendors, testers, journalists, and researchers to discuss cybersecurity trends, tests and standards!

In January 2019, Kaspersky discovered the ASUS supply chain attack and called it 'Operation ShadowHammer', conducted by the BARIUM APT group. Since 2010, the BARIUM APT group has targeted game and software development companies from around the world. This group has attempted advanced and intelligent cyber attacks mainly using the 'Winnti' and 'PlugX' malware.

The Korea Internet & Security Agency (KrCERT/CC) analysed several supply chain attacks in the Republic of Korea. And we confirmed a relationship between the ASUS incident and supply chain attacks in Korea.

In this presentation we will talk about the TTPs of the BARIUM group's supply chain attack.

This group used two strategies for supply chain attack:

    1. Compromise SW development environment.

    2. Compromise update servers.

Cases of supply chain attack in Korea:

    1. Attack on anti-virus vendor update server
    In 2018, penetration attempts occurred in an anti-virus software vendor's update servers. The attacker gained access to the server via a file upload vulnerability. After local privilege exploit, the pam_unix.so library file was altered to steal account information.

    2. Attack on remote control solution manufacturing vendor
    KrCERT discovered that malicious code was injected into the software update file. The attacker stole the test account of the remote control solution and hacked the developer's PC. After that, it moved laterally to the development server through malware infection.

    3. Attack on NetSarang build server
    The attacker stole the TeamViewer account of the NetSarang build server. Then a linker program was used to inject malicious code into the 'nssock2.dll' for distribution to users. The incident is similar to the supply chain attack on CCleaner that occurred in the same year.

KrCERT put the results of the TTPs based on the ATTA&CK matrix. We will present the attack characteristics of this APT group and discuss how to prevent and respond to attacks.
Byeongjae Kim
Korea Internet & Security Agency Byeongjae Kim has been doing intrusion analysis and malware analysis for 10 years at the Ministry of Defense and Korea Internet Security Agency. The agency team has analysed various cases of supply chain attacks recently and continue to think about how to respond. Byeongjae is currently analysing the TTPs of attack groups.
Tae-woo Lee
Korea Internet & Security Agency Tae-woo Lee is in charge of analysis of malicious code and IR at the Korea Internet Security Center (KISC) of the Korea Internet & Security Agency (KISA). Before working at the KISA, he was a malware analyst at an anti-virus company in Korea (ROK).

Currently, he is researching groups carrying out attacks (like ransomware, supply chain attacks and information leakage) that threaten cybersecurity in Korea. He is particularly interested in research related to preventing cyber attacks by groups composed of attackers who speak Korean.
Sojun Ryu
Korea Internet & Security Agency Sojun Ryu graduated from the 'Next Generation of Top Security Leader Program' (Best of Best, BoB) at the Korea Information Technology Institute (KITRI) in 2013, and holds a Master's degree in information security from Sungkyunkwan University in Korea. Sojun has worked at KrCERT/CC for seven years, analysing malware and responding to incidents. Recently, Sojun has been focusing on threat analysis.
Dongwook Kim
Korea Internet & Security Agency Dongwook Kim has been working for Korea Internet Security Agency since 2013 as a computer incident analyst. The team has a lot of experiences related to Internet security incident response (supply chain attacks, crypto-currency exchange hacking and so on). Recently, Dongwook has been tracking and analysing specific hacking groups targeting Korea.
arrow left Back

Clandestine hunter: two strategies for supply chain attack

Byeongjae Kim (Korea Internet & Security Agency), Taewoo Lee (Korea Internet & Security Agency), Sojun Ryu (Korea Internet & Security Agency) & Dongwook Kim (Korea Internet & Security Agency)
In January 2019, Kaspersky discovered the ASUS supply chain attack and called it 'Operation ShadowHammer', conducted by the BARIUM APT group. Since 2010, the BARIUM APT group has targeted game and software development companies from around the world. This group has attempted advanced and intelligent cyber attacks mainly using the 'Winnti' and 'PlugX' malware.

The Korea Internet & Security Agency (KrCERT/CC) analysed several supply chain attacks in the Republic of Korea. And we confirmed a relationship between the ASUS incident and supply chain attacks in Korea.

In this presentation we will talk about the TTPs of the BARIUM group's supply chain attack.

This group used two strategies for supply chain attack:

    1. Compromise SW development environment.

    2. Compromise update servers.

Cases of supply chain attack in Korea:

    1. Attack on anti-virus vendor update server
    In 2018, penetration attempts occurred in an anti-virus software vendor's update servers. The attacker gained access to the server via a file upload vulnerability. After local privilege exploit, the pam_unix.so library file was altered to steal account information.

    2. Attack on remote control solution manufacturing vendor
    KrCERT discovered that malicious code was injected into the software update file. The attacker stole the test account of the remote control solution and hacked the developer's PC. After that, it moved laterally to the development server through malware infection.

    3. Attack on NetSarang build server
    The attacker stole the TeamViewer account of the NetSarang build server. Then a linker program was used to inject malicious code into the 'nssock2.dll' for distribution to users. The incident is similar to the supply chain attack on CCleaner that occurred in the same year.

KrCERT put the results of the TTPs based on the ATTA&CK matrix. We will present the attack characteristics of this APT group and discuss how to prevent and respond to attacks.
Byeongjae Kim
Korea Internet & Security Agency Byeongjae Kim has been doing intrusion analysis and malware analysis for 10 years at the Ministry of Defense and Korea Internet Security Agency. The agency team has analysed various cases of supply chain attacks recently and continue to think about how to respond. Byeongjae is currently analysing the TTPs of attack groups.
Tae-woo Lee
Korea Internet & Security Agency Tae-woo Lee is in charge of analysis of malicious code and IR at the Korea Internet Security Center (KISC) of the Korea Internet & Security Agency (KISA). Before working at the KISA, he was a malware analyst at an anti-virus company in Korea (ROK).

Currently, he is researching groups carrying out attacks (like ransomware, supply chain attacks and information leakage) that threaten cybersecurity in Korea. He is particularly interested in research related to preventing cyber attacks by groups composed of attackers who speak Korean.
Sojun Ryu
Korea Internet & Security Agency Sojun Ryu graduated from the 'Next Generation of Top Security Leader Program' (Best of Best, BoB) at the Korea Information Technology Institute (KITRI) in 2013, and holds a Master's degree in information security from Sungkyunkwan University in Korea. Sojun has worked at KrCERT/CC for seven years, analysing malware and responding to incidents. Recently, Sojun has been focusing on threat analysis.
Dongwook Kim
Korea Internet & Security Agency Dongwook Kim has been working for Korea Internet Security Agency since 2013 as a computer incident analyst. The team has a lot of experiences related to Internet security incident response (supply chain attacks, crypto-currency exchange hacking and so on). Recently, Dongwook has been tracking and analysing specific hacking groups targeting Korea.