A supply-chain attack consists of attacking a vendor in order to spread malware to its clients. Thus, the supply-chain by itself acts solely as a means to an end. This kind of an attack provides strategic advantages to attackers due to the fact that they only need a single point in order to affect multiple targets, they evade traditional network analysis and detection tools, they do not require phishing attacks, and they provide access to hardened targets.
This document describes a sophisticated attack, recently discovered by RSA, on a software supply-chain (Altair Technologies). The attack caused organizations to “upgrade” their appliance version to a version containing malware. This attack specifically targeted Windows operating system administrators by exploiting the auto-update process for the system as well as new installations of the product.
The purpose of this document is to describe the supply-chain attack, and provide organizations with indicators of compromise, allowing them to check if one of their workstations was infected.
A supply-chain attack consists of attacking a vendor in order to spread malware to its clients. Users typically trust their vendors, and thus are likely to install security updates (especially if they are digitally signed by their trusted vendor). In the case of Kingslayer, Altair Technologies, also known for their famous http://www.eventid.net website, had had their version of EvLog altered to contain malicious code.
The attackers obtained the private signing key of Altair Technologies, and used it in order to sign an altered version of their EvLog product. This allowed them to act as the software provider, meaning that they were able to keep the functionality of the software, whilst also hiding malicious code within it.
For those of you who are unfamiliar with EvLog: EvLog allows users to quickly analyze the event log, allowing system administrators to look for events in an efficient manner. Thus, in our opinion, what makes Kingslayer especially concerning, is the fact that the target audience is domain administrators (or power users). This allows the attacker to compromise the entire network in a swift lateral movement phase (since they already have a malicious “Trojan horse” application on the network running with domain administrator privileges).
From analyzing the attack it appears that at least three binaries, as well as an MSI software installation package, were modified for malicious purposes using the original source code, and signed using the stolen signing private key.
Later, clients who wished to install a newer version of the product, were redirected to the malicious domain www.oraclesoft.net, by modifying the attacker’s .htaccess file. Once redirected, a Trojan, disguised as the original software, was downloaded and installed. Upon a successful installation, a second piece of malware was downloaded in order to act as a command and control server. In addition, other binaries, such as ones for stealing stored password from Chrome and Firefox, were also executed.
While the infection time window lasts from April, 2015, to July, 2015, an organization that used EvLog during that time might still be infected. As observed by RSA, numerous organizations were affected by the attack, including the following:
· 4 major telecommunications providers.
· 10+ western military organizations.
· 24+ Fortune 500 companies.
· 5 major defense contractors.
· 36+ major IT product manufacturers or solutions providers.
· 24+ western government organizations.
· 24+ banks and financial institutions.
· 45+ higher educational institutions.
3.1 DNS & FW
Organizations are requested to check their FW and DNS log files for connections to the following hosts:
Organizations are requested to check the existence of the following malicious hashes (SHA-256):
Kingslayer attack has shown us that vendors cannot always be trusted. If a vendor is breached, the entire organization might be compromised. Thus, it is imperative that organizations isolate their vendor environments to the minimum required permissions: FW restrictions should be applied at the very minimum and it might be better to execute 3rd party tools on a workstation isolated from the user’s main workstation.
In the case of Kingslayer, a phishing scenario was not required in order to cause domain administrators to install malware. Thus, it is important that 3rd party tools are not executed with domain admin privileges if not absolutely required to do so. In the case of EvLog, for example, it might have been better for organizations to create a dedicated Active Directory user which only had read access to the event log. If EvLog is executed by this user, only the user’s workstation is affected, rather than the entire domain.