Clandestine hunter: two strategies for supply chain attack

Friday 2 October 09:30 - 10:00, Green room

Byeongjae Kim (Korea Internet & Security Agency)
Taewoo Lee (Korea Internet & Security Agency)
Sojun Ryu (Korea Internet & Security Agency)
Dongwook Kim (Korea Internet & Security Agency)



In January 2019, Kaspersky discovered the ASUS supply chain attack and called it 'Operation ShadowHammer', conducted by the BARIUM APT group. Since 2010, the BARIUM APT group has targeted game and software development companies from around the world. This group has attempted advanced and intelligent cyber attacks mainly using the 'Winnti' and 'PlugX' malware.

The Korea Internet & Security Agency (KrCERT/CC) analysed several supply chain attacks in the Republic of Korea. And we confirmed a relationship between the ASUS incident and supply chain attacks in Korea.

in this presentation we will talk about the TTPs of the BARIUM group's supply chain attack.

This group used two strategies for supply chain attack:

1. Compromise SW development environment.

2. Compromise update servers.

Cases of supply chain attack in Korea:

1. Attack on anti-virus vendor update server
In 2018, penetration attempts occurred in an anti-virus software vendor's update servers. The attacker gained access to the server via a file upload vulnerability. After local privilege exploit, the pam_unix.so library file was altered to steal account information.

2. Attack on remote control solution manufacturing vendor
KrCERT discovered that malicious code was injected into the software update file. The attacker stole the test account of the remote control solution and hacked the developer's PC. After that, it moved laterally to the development server through malware infection.

3. Attack on NetSarang build derver
The attacker stole the TeamViewer account of the NetSarang build server. Then a linker program was used to inject malicious code into the 'nssock2.dll' for distribution to users. The incident is similar to the supply chain attack on CCleaner that occurred in the same year.

KrCERT put the results of the TTPs based on the ATTA&CK matrix. We will present the attack characteristics of this APT group and discuss how to prevent and respond to attacks.

 

 

Byeongjae Kim

Byeongjae Kim has been doing intrusion analysis and malware analysis for 10 years at the Ministry of Defense and Korea Internet Security Agency. The agency team has analysed various cases of supply chain attacks recently and continue to think about how to respond. Byeongjae is currently analysing the TTPs of attack groups.

 

 

Tae-woo Lee

Tae-woo Lee is in charge of analysis of malicious code and IR at the Korea Internet Security Center (KISC) of the Korea Internet & Security Agency (KISA). Before working at the KISA, he was a malware analyst at an anti-virus company in Korea (ROK).

Currently, he is researching groups carrying out attacks (like ransomware, supply chain attacks and information leakage) that threaten cybersecurity in Korea. He is particularly interested in research related to preventing cyberattacks by groups composed of attackers who speak Korean.

 

Sojun-Ryu-web.jpg

Sojun Ryu

Sojun Ryu graduated from the 'Next Generation of Top Security Leader Program' (Best of Best, BoB) at the Korea Information Technology Institute (KITRI) in 2013, and holds a Master's degree in information security from Sungkyunkwan University in Korea. Sojun has worked at KrCERT/CC for seven years, analysing malware and responding to incidents. Recently, Sojun has been focusing on threat analysis.

 

Dongwook-Kim-web.jpg

Dongwook Kim

Dongwook Kim has been working for Korea Internet Security Agency since 2013 as a computer incident analyst. The team has a lot of experiences related to Internet security incident response (supply chain attacks, crypto-currency exchange hacking and so on). Recently, Dongwook has been tracking and analysing specific hacking groups targeting Korea.



Back to VB2020 Programme page

Other VB2020 papers

TBA

Hunting for Android 1-days: analysis of rooting ecosystem

Eugene Rodionov (Google)
Richard Neal (Google)
Lin Chen (Google)

She sells root shells by the C(++) shore

Costin Ionescu (Broadcom)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.