Friday 2 October 09:30 - 10:00, Green room
Byeongjae Kim (Korea Internet & Security Agency)
Taewoo Lee (Korea Internet & Security Agency)
Sojun Ryu (Korea Internet & Security Agency)
Dongwook Kim (Korea Internet & Security Agency)
In January 2019, Kaspersky discovered the ASUS supply chain attack and called it 'Operation ShadowHammer', conducted by the BARIUM APT group. Since 2010, the BARIUM APT group has targeted game and software development companies from around the world. This group has attempted advanced and intelligent cyber attacks mainly using the 'Winnti' and 'PlugX' malware.
The Korea Internet & Security Agency (KrCERT/CC) analysed several supply chain attacks in the Republic of Korea. And we confirmed a relationship between the ASUS incident and supply chain attacks in Korea.
in this presentation we will talk about the TTPs of the BARIUM group's supply chain attack.
This group used two strategies for supply chain attack:
1. Compromise SW development environment.
2. Compromise update servers.
Cases of supply chain attack in Korea:
1. Attack on anti-virus vendor update server
In 2018, penetration attempts occurred in an anti-virus software vendor's update servers. The attacker gained access to the server via a file upload vulnerability. After local privilege exploit, the pam_unix.so library file was altered to steal account information.
2. Attack on remote control solution manufacturing vendor
KrCERT discovered that malicious code was injected into the software update file. The attacker stole the test account of the remote control solution and hacked the developer's PC. After that, it moved laterally to the development server through malware infection.
3. Attack on NetSarang build derver
The attacker stole the TeamViewer account of the NetSarang build server. Then a linker program was used to inject malicious code into the 'nssock2.dll' for distribution to users. The incident is similar to the supply chain attack on CCleaner that occurred in the same year.
KrCERT put the results of the TTPs based on the ATTA&CK matrix. We will present the attack characteristics of this APT group and discuss how to prevent and respond to attacks.
Byeongjae Kim Byeongjae Kim has been doing intrusion analysis and malware analysis for 10 years at the Ministry of Defense and Korea Internet Security Agency. The agency team has analysed various cases of supply chain attacks recently and continue to think about how to respond. Byeongjae is currently analysing the TTPs of attack groups.
|
|
Tae-woo Lee Tae-woo Lee is in charge of analysis of malicious code and IR at the Korea Internet Security Center (KISC) of the Korea Internet & Security Agency (KISA). Before working at the KISA, he was a malware analyst at an anti-virus company in Korea (ROK). Currently, he is researching groups carrying out attacks (like ransomware, supply chain attacks and information leakage) that threaten cybersecurity in Korea. He is particularly interested in research related to preventing cyberattacks by groups composed of attackers who speak Korean.
|
|
Sojun Ryu Sojun Ryu graduated from the 'Next Generation of Top Security Leader Program' (Best of Best, BoB) at the Korea Information Technology Institute (KITRI) in 2013, and holds a Master's degree in information security from Sungkyunkwan University in Korea. Sojun has worked at KrCERT/CC for seven years, analysing malware and responding to incidents. Recently, Sojun has been focusing on threat analysis.
|
|
Dongwook Kim Dongwook Kim has been working for Korea Internet Security Agency since 2013 as a computer incident analyst. The team has a lot of experiences related to Internet security incident response (supply chain attacks, crypto-currency exchange hacking and so on). Recently, Dongwook has been tracking and analysing specific hacking groups targeting Korea. |
Eugene Rodionov (Google)
Richard Neal (Google)
Lin Chen (Google)