[BreachExchange] Supply Chain Attacks: Hackers Hit IT Providers

Destry Winant destry at riskbasedsecurity.com
Mon Sep 23 10:25:16 EDT 2019


Any attacker able to hack into an IT or managed service provider can
gain access not only to that organization's network, but potentially
also the network of every one of its customers. So it's no surprise
that criminal groups and nation-state attackers alike continue to
attempt these types of supply chain attacks (see: Magecart Nightmare
Besets E-Commerce Websites).

Fresh evidence of the trend comes by way of security firm Symantec,
which warns that a group it's dubbed Tortoiseshell has been hitting IT
providers in the Middle East since at least July 2018, with the most
recent activity spotted just two months ago.

Symantec says the group has hit at least 11 organizations, mostly in
Saudi Arabia, and appears to have gained admin-level access to at
least two organizations as part of its efforts to parlay hacks of IT
providers into the ability to hack their many customers. In those two
networks, it notes, attackers had managed to infect several hundred
PCs with malware called Backdoor.Syskit.

"This is an unusually large number of computers to be compromised in a
targeted attack," Symantec's security researchers say in a report. "It
is possible that the attackers were forced to infect many machines
before finding those that were of most interest to them."

Backdoor.Syskit is a Trojan, written in Delphi and .NET, that's
designed to phone home to a command-and-control server and give
attackers remote access to the infected system so they can push and
execute additional malware on the endpoint, according to Symantec. The
security firm first rolled out an anti-virus signature for the malware
on Aug. 21.

Symantec says attackers have in some cases also used PowerShell
backdoors - also known as a living off the land attack, since it's
tough to spot attackers' use of legitimate tools. They've also
deployed a range of tools designed to gather information about the
system - sometimes including all Firefox data - and send it to

Symantec not identified the targeted organizations, and it says it's
not clear who's behind the attacks. "We currently have no evidence
that would allow us to attribute Tortoiseshell's activity to any
existing known group or nation-state," the researchers say.

Infection Vector: Potentially, Web Servers

The initial infection vector is also unknown, although in at least one
attack, attackers may have hacked into a web server. "For at least one
victim, the first indication of malware on their network was a web
shell," Symantec says. "This indicates that the attackers likely
compromised a web server and then used this to deploy malware onto the

For one of the hacked organizations, researchers say they recovered
malware called Poison Frog - "a backdoor and a variant of a tool
called BondUpdater" - that had infected systems one month prior to the
Tortoiseshell malware.

Use of BondUpdater has been linked to APT34, aka Oilrig, which the
U.S. government has tied to Iran. But the presence of the malware is
no smoking gun, because source code, malicious tools and a list of
target victims linked to the group were dumped on Github and Telegram
in mid-March and the attack spotted by Symantec happened later. As a
result, anyone could now be using attack tools previously tied to
APT34 (see: Despite Doxing, OilRig APT Group Remains a Threat).

Supply Chain Attacks' Allure

As the Tortoiseshell modus operandi suggests, supply chain attacks
remain prevalent, especially against IT and security service
providers, which can give attackers access to a wide range of victims
as well as disguise which organizations they are actually attempting
to target.

"IT providers are an ideal target for attackers given their high level
of access to their clients' computers. This access may give them the
ability to send malicious software updates to target machines, and may
even provide them with remote access to customer machines," Symantec
says. "This provides access to the victims' networks without having to
compromise the networks themselves, which might not be possible if the
intended victims have strong security infrastructure, and also reduces
the risk of the attack being discovered."

Ransomware Attackers Hit Suppliers Too

The ability to potentially hack one organization and gain access to
many more is also driving ransomware attackers.

Connecticut-based ransomware incident response firm Coveware, for
example, says some ransomware-as-a-service affiliates wielding
Sodinokibi ransomware have been specializing in targeting IT managed
service providers and their remote management tools.

Such tools get installed on every endpoint that a firm manages. Hence,
if attackers can either directly access endpoints running the software
or gain access to the MSP and push software to the endpoints, they
have access to an already working backdoor on every system.

Bill Siegel, CEO of Coveware, says that when such attacks succeed,
they often have a major impact. "It's been devastating, because when
they do get into an MSP, they hit hundreds of companies, sometimes
simultaneously, [generating] very high return on the attack, rather
than just hitting the MSP, which is also a small business," he tells
Information Security Media Group. "They're hitting hundreds of small
organizations at a time." (See: Ransomware Gangs Practice Customer
Relationship Management).

The recent ransomware campaign that hit 22 Texas municipalities, for
example, appears to have involved a single attacker hacking into at
least one MSP. Gary Heinrich, the mayor of one of the affected
municipalities - Keene, Texas, with a population of 6,100 - last month
told NPR that the attacker hacked into its IT and demanded a total
ransom worth $2.5 million to restore all crypto-locked systems across
the 22 municipalities. "They got into our software provider, the guys
who run our IT systems," Heinrich told NPR. "A lot of folks in Texas
use providers to do that, because we don't have a staff big enough to
have IT in house."

Texas state officials declined to comment to ISMG about whether one or
more MSPs were compromised in the attack. But in the wake of the
attack and incident response efforts, Nancy Rainosek, the CISO of
Texas, offered five lessons learned from the attack that she says are
applicable to any organization that uses remotely administered IT
services or managed security providers (see: Texas Ransomware
Responders Urge Remote Access Lockdown).

More information about the BreachExchange mailing list