Wednesday, March 1, 2017

Kingslayer – A Supply Chain Attack


A supply-chain attack consists of attacking a vendor in order to spread malware to its clients. Thus, the supply-chain by itself acts solely as a means to an end. This kind of an attack provides strategic advantages to attackers due to the fact that they only need a single point in order to affect multiple targets, they evade traditional network analysis and detection tools, they do not require phishing attacks, and they provide access to hardened targets. 
This document describes a sophisticated attack, recently discovered by RSA, on a software supply-chain (Altair Technologies). The attack caused organizations to “upgrade” their appliance version to a version containing malware. This attack specifically targeted Windows operating system administrators by exploiting the auto-update process for the system as well as new installations of the product.
The purpose of this document is to describe the supply-chain attack, and provide organizations with indicators of compromise, allowing them to check if one of their workstations was infected.

2.        Supply-chain Attacks

A supply-chain attack consists of attacking a vendor in order to spread malware to its clients. Users typically trust their vendors, and thus are likely to install security updates (especially if they are digitally signed by their trusted vendor). In the case of Kingslayer, Altair Technologies, also known for their famous http://www.eventid.net website, had had their version of EvLog altered to contain malicious code.
The attackers obtained the private signing key of Altair Technologies, and used it in order to sign an altered version of their EvLog product. This allowed them to act as the software provider, meaning that they were able to keep the functionality of the software, whilst also hiding malicious code within it.
For those of you who are unfamiliar with EvLog: EvLog allows users to quickly analyze the event log, allowing system administrators to look for events in an efficient manner. Thus, in our opinion, what makes Kingslayer especially concerning, is the fact that the target audience is domain administrators (or power users). This allows the attacker to compromise the entire network in a swift lateral movement phase (since they already have a malicious “Trojan horse” application on the network running with domain administrator privileges).
From analyzing the attack it appears that at least three binaries, as well as an MSI software installation package, were modified for malicious purposes using the original source code, and signed using the stolen signing private key.
Later, clients who wished to install a newer version of the product, were redirected to the malicious domain www.oraclesoft.net, by modifying the attacker’s .htaccess file. Once redirected, a Trojan, disguised as the original software, was downloaded and installed. Upon a successful installation, a second piece of malware was downloaded in order to act as a command and control server. In addition, other binaries, such as ones for stealing stored password from Chrome and Firefox, were also executed.
While the infection time window lasts from April, 2015, to July, 2015, an organization that used EvLog during that time might still be infected. As observed by RSA, numerous organizations were affected by the attack, including the following:
·        4 major telecommunications providers.
·        10+ western military organizations.
·        24+ Fortune 500 companies.
·        5 major defense contractors.
·        36+ major IT product manufacturers or solutions providers.
·        24+ western government organizations.
·        24+ banks and financial institutions.
·        45+ higher educational institutions.

3.        Indicators of compromise

3.1 DNS & FW

Organizations are requested to check their FW and DNS log files for connections to the following hosts:
·        www.oraclesoft.net
·        images.timekard.com

3.2 Files
Organizations are requested to check the existence of the following malicious hashes (SHA-256):
caea901a301b9c103d90b8539819e050e57b67c6ff4d7863ad1cd549f5fdc2af
383d60bffd5dc64e38893361cb03939bc8c6d5e476dc70755eb0886947e51661
7aa474d0d39a41768149f413c451e9208f73af4d262b6575ada31644f5699153
15113f237b29f51c78f315db7d815c5ed1340f52b500f66979edb153515910d7
72ccf28f4636403249d87721e802140ccae2248b810860f8c5d4f33d07363597
4286ecd104cf0667064ad008e5ac9ffa33a0f7858bb745d533fdb30369e89dd4


4.        Conclusions

Kingslayer attack has shown us that vendors cannot always be trusted. If a vendor is breached, the entire organization might be compromised. Thus, it is imperative that organizations isolate their vendor environments to the minimum required permissions: FW restrictions should be applied at the very minimum and it might be better to execute 3rd party tools on a workstation isolated from the user’s main workstation.
In the case of Kingslayer, a phishing scenario was not required in order to cause domain administrators to install malware. Thus, it is important that 3rd party tools are not executed with domain admin privileges if not absolutely required to do so. In the case of EvLog, for example, it might have been better for organizations to create a dedicated Active Directory user which only had read access to the event log. If EvLog is executed by this user, only the user’s workstation is affected, rather than the entire domain.

5.        Sources