Supply Chain Security is the Whole Enchilada, But Who’s Willing to Pay for It? — Krebs on Security

https://krebsonsecurity.com/2018/10/supply-chain-security-is-the-whole-enchilada-but-whos-willing-to-pay-for-it/

You can have it fast, cheap, or secure — pick any two.

It seems to be possible as long as “secure” isn’t one of your choices.

“Our IT industry is inexorably international, and anyone involved in the process can subvert the security of the end product,” Schneier wrote.
We don’t often hear about intentional efforts to subvert the security of the technology supply chain simply because these incidents tend to get quickly classified by the military when they are discovered.
Indeed, noted security expert Bruce Schneier calls supply-chain security “an insurmountably hard problem.”

Most of the U.S. government’s efforts to police the global technology supply chain seem to be focused on preventing counterfeits — not finding secretly added spying components.

Finally, it’s not clear that private industry is up to the job, either. At least not yet.

Supply chain challenges definitely fit into categorythings I can’t change“.

87 Comments

  1. Tomi Engdahl says:

    Joseph Bernstein / BuzzFeed News:
    Amazon canceled some ads on Bloomberg’s properties, sources say due to China spy chips story; sources: Apple did not invite Bloomberg to fall product event — Amazon pulled its fourth quarter advertisements on Bloomberg’s website, a move some within the media giant think is retribution …

    Amazon Has Pulled Its Ads From Bloomberg Over China Hack Story
    https://www.buzzfeednews.com/article/josephbernstein/amazon-pulled-ads-bloomberg-over-china-hack-story

    Sources say both Amazon and Apple are taking retributive measures against the outlet that alleged they were hacked by China.

    Reply
  2. Tomi Engdahl says:

    Building a Proof of Concept Hardware Implant
    https://hackaday.com/2018/10/24/building-a-proof-of-concept-hardware-implant/

    [Nicolas Oberli] of Kudelski Security wanted to do more than idly speculate, so he decided to come up with a model of how an implanted hardware espionage device could interact with the host system. He was able to do this with off the shelf hardware, meaning anyone who’s so inclined can recreate this “Hardware Implant Playset” in their own home lab for experimentation. Obviously this is not meant to portray a practical attack in terms of the hardware itself, but gives some valuable insight into how such a device might function.

    Build Your Own Hardware Implant
    https://research.kudelskisecurity.com/2018/10/23/build-your-own-hardware-implant/

    Reply
  3. Tomi Engdahl says:

    IFTLE 397: Malicious Embedded Chips? And TSMC Rides the Leading Edge
    https://www.3dincites.com/2018/10/iftle-397-malicious-embedded-chips-and-tsmc-rides-the-leading-edge/

    Malicious Embedded Chips in our Mother Boards?

    Early October brought a report from Bloomberg that I have heard was the top tech story circulating at the DoD and DARPA.

    For years, articles about counterfeit chips, and our reliance on Asian-made chips – where they could be modified in ways to pass on information or allow hacks – have worried us. Now…. we’ve got something new to worry about.

    The 3rd party discovered that the servers customers installed in AWS’ networks to handle the video compression were assembled by Super Micro Computer, a San Jose CA company that also supplied the server motherboards. Nested on the servers’ motherboards, the testers found a tiny microchip, that wasn’t part of the boards’ original design.

    Amazon reported the discovery to U.S. authorities. Elemental’s servers were found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. Investigators reportedly determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines.

    Elemental was just one of the hundreds of Super Micro customers

    The FBI and the Office of the Director of National Intelligence, representing the CIA and NSA, declined to comment. While Apple and Amazon denied the Bloomberg report [link] Bloomberg defended its reporting, indicating that “…the companies’ denials are countered by six current and former senior national security officials, who in conversations that began during the Obama administration and continued under the Trump administration—detailed the discovery of the chips and the government’s investigation.

    One of those officials and two people inside AWS provided extensive information on how the attack played out at Elemental and Amazon; the official and one of the insiders also described Amazon’s cooperation with the government investigation. In addition to the three Apple insiders, four of the six U.S. officials confirmed that Apple was a victim. In all, 17 people confirmed the manipulation of Supermicro’s hardware and other elements of the attacks. The sources were granted anonymity because of the sensitive, and classified, nature of the information.”

    Certainly, if nothing else, these reports have opened eyes to the issue of not having the capability for packaging and assembly in the US for consumer products, as well as DoD applications.

    https://www.reuters.com/article/us-china-cyber/apple-amazon-deny-bloomberg-report-on-chinese-hardware-attack-idUSKCN1ME19J

    Reply
  4. Tomi Engdahl says:

    Hardware Cyberattacks: How Worried Should You Be?
    https://www.darkreading.com/vulnerabilities—threats/hardware-cyberattacks-how-worried-should-you-be/d/d-id/1333167

    How to fit hardware threats into your security model as hardware becomes smaller, faster, cheaper, and more complex.

    Reply
  5. Tomi Engdahl says:

    Supply-chain attack on cryptocurrency exchange gate.io
    https://www.welivesecurity.com/2018/11/06/supply-chain-attack-cryptocurrency-exchange-gate-io/

    Latest ESET research shows just how far attackers will go in order to steal bitcoin from customers of one specific virtual currency exchange

    On November 3, attackers successfully breached StatCounter, a leading web analytics platform. This service is used by many webmasters to gather statistics on their visitors – a service very similar to Google Analytics.

    by compromising the StatCounter platform, attackers can inject JavaScript code in all websites that use StatCounter.

    Attackers modified the script at http://www.statcounter.com/counter/counter.js by adding a piece of malicious code

    Reply
  6. Tomi Engdahl says:

    Microsoft Finds Pirated Windows on Too Many New Computers
    Company also discovers malware and coin miners on these PCs
    https://news.softpedia.com/news/microsoft-finds-pirated-windows-on-too-many-new-computers-523595.shtml

    Microsoft has conducted its own investigation on the Asian new PC market, only to discover an insane number of computers sold with a pirated Windows license.

    As reported by The Economic Times, Microsoft purchased PCs between May and July from Asian markets in an attempt to determine how many of them are shipped with counterfeit Windows licenses and malware pre-installed.

    Reply
  7. Tomi Engdahl says:

    DUST Identity Emerges From Stealth to Protect Device Supply Chain
    https://www.securityweek.com/dust-identity-emerges-stealth-protect-device-supply-chain

    Boston, MA-based start-up firm DUST Identity has emerged from stealth with $2.3 million seed funding led by Kleiner Perkins, with participation from New Science Ventures, Angular Ventures, and Castle Island Ventures. It was founded in 2018 by Ophir Gaathon (CEO), Jonathan Hodges (VP engineering) and Dirk Englund (board member).

    DUST, an anagram for ‘diamond unclonable security tag’, has developed a method to ensure the provenance and integrity of any object. Its purpose is to protect the physical supply chain from manufacture to installation, and during continued use. In essence, a very tiny spray of diamond particles is applied to any surface. The pattern created is random but unique to each object. This is scanned and recorded, and becomes the object’s fingerprint. Any physical attempt to tamper with the object disturbs the fingerprint and becomes known.

    The spray pattern is random by design. DUST takes the view that if it could predefine a pattern, then an adversary would be able to copy it. Instead it allows the vagaries of nature and the environment to create an unclonable unique pattern.

    Reply
  8. Tomi Engdahl says:

    Security agencies warn of foreign espionage threat to company networks
    RCMP warns of of ‘supply chain vulnerability’ — a back-door tactic to infiltrate systems
    https://www.cbc.ca/news/politics/security-agencies-warn-espionage-networks-1.4919962

    Canadian companies should watch out when they use technology supplied by state-owned companies from countries that want to steal corporate secrets, the country’s security agencies have warned.

    The RCMP organized two workshops last March — one in Calgary, the other in Toronto — to raise awareness about threats to critical systems, including espionage and foreign interference, cyberattacks, terrorism and sabotage, newly disclosed documents show.

    Reply
  9. Tomi Engdahl says:

    Super Micro Finds No Malicious Hardware in Motherboards
    https://www.wsj.com/articles/super-micro-finds-no-malicious-hardware-in-motherboards-11544534182

    Company examined equipment following allegations of a rogue chip

    Super Micro Computer Inc. told its customers in a letter Tuesday that a third-party firm didn’t find malicious hardware on its equipment, as the supplier of motherboards continued to dispute a report that its products had been sabotaged.

    “After thorough examination and a range of functional tests, the investigations firm found absolutely no evidence of malicious hardware on our motherboards,”

    Reply
  10. Tomi Engdahl says:

    Supermicro Says It Found No Evidence of Malicious Chips
    https://www.electronicdesign.com/industrial-automation/supermicro-says-it-found-no-evidence-malicious-chips?NL=ED-003&Issue=ED-003_20181212_ED-003_612&sfvc4enews=42&cl=article_2_b&utm_rid=CPG05000002750211&utm_campaign=22123&utm_medium=email&elq2=02cb54f925b14521a87ad0312a4a1438

    Supermicro has faced allegations for months that some server motherboards it sold contained malicious chips that opened a backdoor into the data centers of major technology companies, including Apple and Amazon.

    The company came under scrutiny earlier this year after a Bloomberg report claimed that some Supermicro motherboards were carrying covert implants inserted in factories operated by the company’s Chinese contractors. Supermicro said that the firm it hired had found no evidence of malicious chips in a representative sample of its motherboards,

    Reply
  11. Tomi Engdahl says:

    EVERYBODY DOES IT: THE MESSY TRUTH ABOUT INFILTRATING COMPUTER SUPPLY CHAINS
    https://theintercept.com/2019/01/24/computer-supply-chain-attacks/

    Reply
  12. Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    Researchers find that weaknesses in Supermicro hardware would let an attacker leave a persistent and hidden backdoor on IBM’s cloud “bare-metal” servers — Other providers of bare-metal cloud computing might also be vulnerable to BMC hack. — More than five years …

    Supermicro hardware weaknesses let researchers backdoor an IBM cloud server
    Other providers of bare-metal cloud computing might also be vulnerable to BMC hack.
    https://arstechnica.com/information-technology/2019/02/supermicro-hardware-weaknesses-let-researchers-backdoor-an-ibm-cloud-server/

    More than five years have passed since researchers warned of the serious security risks that a widely used administrative tool poses to servers used for some of the most sensitive and mission-critical computing. Now, new research shows how baseboard management controllers, as the embedded hardware is called, threaten premium cloud services from IBM and possibly other providers.

    Reply
  13. Tomi Engdahl says:

    Hackers Backdoor Cloud Servers to Attack Future Customers
    https://www.bleepingcomputer.com/news/security/hackers-backdoor-cloud-servers-to-attack-future-customers/

    A new vulnerability dubbed Cloudborne can allow attackers to implant backdoor implants in the firmware or BMC of bare metal servers that survive client reassignment in bare metal and general cloud services, leading to a variety of attack scenarios.

    Organizations deploying critical high-value apps on bare metal servers through Infrastructure as a Service (IaaS) offerings consider it the best alternative to buying their own hardware because this allows for easy and quick scaling of cloud-based applications without the need of sharing the hardware with other users.

    While this generally means that an organization’s critical apps are always running on dedicated servers, the fact that those servers are reclaimed and re-assigned once the client no longer needs them exposes them to firmware weaknesses and vulnerabilities that can persist between customer assignments.

    Even though IBM and Eclypsium are already engaged in talks regarding the severity level of this vulnerability, other cloud vendors have yet to chime in into a discussion that could be going for a while considering the implications of such security issues on the long term and the apparently extremely hard to implement fixes.

    Reply
  14. Tomi Engdahl says:

    Hackers Can Plant Backdoors on Bare Metal Cloud Servers: Researchers
    https://www.securityweek.com/hackers-can-plant-backdoors-bare-metal-cloud-servers-researchers

    Malicious actors could plant firmware backdoors on bare metal cloud servers and use them to disrupt applications, steal data, and launch ransomware attacks, firmware security company Eclypsium warned on Tuesday.

    Reply
  15. Tomi Engdahl says:

    Supermicro Servers Can Be Easily Backdoored After All
    https://www.tomshardware.com/news/supermicro-ibm-servers-easily-backdoored-research,38697.html

    Last year, Bloomberg ran a report, saying Supermicro-supplied servers come with Chinese backdoors and that this may have been a reason for Apple to dropped them in 2016; although Apple denied espionage concerns at the time. Although new research publsihed today doesn’t exactly confirm Bloomberg’s report that Supermicro servers ship with pre-installed backdoors, it does point to the microcontrollers used by Supermicro and the firmware that comes with them being easily backdoored without detection.

    Supermicro’s “Parasitic Servers” Are Easily Exploitable
    Previous research had shown that baseboard management controllers (BMCs), which are motherboard-attached microcontrollers, can give extraordinary remote access to servers inside data centers. The management capability on these BMCs is provided via the Intelligent Platform Management Interface (IPMI), which in many ways is similar to Intel’s Management Engine and its Active Management Technology and poses the same large risks of allowing attackers to take over servers remotely.

    Reply
  16. Tomi Engdahl says:

    Warning: ASUS Software Update Server Hacked to Distribute Malware
    https://thehackernews.com/2019/03/asus-computer-hacking.html

    CCleaner hack was one of the largest supply chain attacks that infected more than 2.3 million users with a backdoored version of the software in September 2017.

    Security researchers today revealed another massive supply chain attack that compromised over 1 million computers manufactured by Taiwan-based tech giant ASUS.

    A group of state-sponsored hackers last year managed to hijack ASUS Live automatic software update server between June and November 2018 and pushed malicious updates to install backdoors on over one million Windows computers worldwide.

    Reply
  17. Tomi Engdahl says:

    ShadowHammer: Malicious updates for ASUS laptops
    https://www.kaspersky.com/blog/shadow-hammer-teaser/26149/

    Asus unwittingly pushed malware to 500k laptops after hack
    https://boingboing.net/2019/03/25/asus-unwittingly-pushed-malwar.html

    Reply
  18. Tomi Engdahl says:

    Spyware sneaks into ‘million-ish’ Asus PCs via poisoned software updates, says Kaspersky
    Hackers were interested in 600 or so targets, it is claimed
    https://www.theregister.co.uk/2019/03/25/asus_software_update_utility_backdoor/

    ASUS Live Update Infected with Backdoor in Supply Chain Attack
    https://www.bleepingcomputer.com/news/security/asus-live-update-infected-with-backdoor-in-supply-chain-attack/

    A new advanced persistent threat (APT) campaign detected by Kaspersky Lab in January 2019 and estimated to have run between June and November 2018 has allegedly impacted over one million users who have downloaded the ASUS Live Update Utility on their computers.

    Kaspersky Lab’s Global Research and Analysis (GReAT) team named this malicious campaign Operation ShadowHammer and, as initially reported by Kim Zetter, it is supposed to have led to the backdoored version of ASUS Live Update being downloaded and installed by more than 57,000 Kaspersky users.

    Reply
  19. Tomi Engdahl says:

    Some ASUS Updates Drop Backdoors on PCs in ‘Operation ShadowHammer’
    https://threatpost.com/asus-pc-backdoors-shadowhammer/143129/

    The attack appears to be associated with a China-backed APT actor.

    A supply-chain attack dubbed “Operation ShadowHammer” has been uncovered, targeting users of the ASUS Live Update Utility with a backdoor injection. The China-backed BARIUM APT is suspected to be at the helm of the project.

    Reply
  20. Tomi Engdahl says:

    Wipro hacked, used as a springboard for more attacks
    https://www.itproportal.com/news/wipro-hacked-used-as-a-springboard-for-more-attacks/

    Phishing attacks attempted against Wipro’s clients.

    Wipro, one of India’s largest IT outsourcing and consulting companies, has been used as a weapon against its own customers, security researchers are saying.

    Apparently an unknown, possibly state-sponsored attacker, has breached Wipro’s networks months ago, and then used it to conduct phishing attacks against Wipro’s clients.

    Reply
  21. Tomi Engdahl says:

    Wipro Intruders Targeted Other Major IT Firms
    https://krebsonsecurity.com/2019/04/wipro-intruders-targeted-other-major-it-firms/

    The crooks responsible for launching phishing campaigns that netted dozens of employees and more than 100 computer systems last month at Wipro, India’s third-largest IT outsourcing firm, also appear to have targeted a number of other competing providers, including Infosys and Cognizant, new evidence suggests. The clues so far suggest the work of a fairly experienced crime group that is focused on perpetrating gift card fraud.

    Reply
  22. Tomi Engdahl says:

    Sergiu Gatlan / BleepingComputer:
    Kaspersky researchers say the supply-chain attack that infected ASUS and its PC update tool this year also affected six other companies, mostly in South Korea

    ShadowHammer Targets Multiple Companies, ASUS Just One of Them
    https://www.bleepingcomputer.com/news/security/shadowhammer-targets-multiple-companies-asus-just-one-of-them/

    ASUS was not the only company targeted by supply-chain attacks during the ShadowHammer hacking operation as discovered by Kaspersky, with at least six other organizations having been infiltrated by the attackers.

    As further found out by Kaspersky’s security researchers, ASUS’ supply chain was successfully compromised by trojanizing one of the company’s notebook software updaters named ASUS Live Updater which eventually was downloaded and installed on the computers of tens of thousands of customers according to experts’ estimations.

    However, ASUS was not the only company which got its IT infrastructure infiltrated during Operation ShadowHammer given that the researchers were able to find a number of other malware samples that employed similar algorithms and were also signed with valid and legitimate certificates.

    The researchers also stated that “how many more companies are compromised out there is not known. What is known is that ShadowPad succeeded in backdooring developer tools and, one way or another, injected malicious code into digitally signed binaries, subverting trust in this powerful defense mechanism.”

    Reply
  23. Tomi Engdahl says:

    Analyzing C/C++ Runtime Library Code Tampering in Software Supply Chain Attacks
    https://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-c-c-runtime-library-code-tampering-in-software-supply-chain-attacks/

    For the past few years, the security industry’s very backbone — its key software and server components — has been the subject of numerous attacks through cybercriminals’ various works of compromise and modifications. Such attacks involve the original software’s being compromised via malicious tampering of its source code, its update server, or in some cases, both.

    Reply
  24. Tomi Engdahl says:

    Tara Seals / Threatpost:
    Flashpoint says April Wipro attack was done by hackers who may have been operating under the radar since ’15, have the hallmarks of an advanced, organized group

    Wipro Attackers Have Operated Under the Radar for Years
    https://threatpost.com/wipro-attackers-under-radar/144276/

    The adversaries have the hallmarks of an advanced, organized group, with well-established infrastructure.

    New details are emerging in the April attack on systems consulting behemoth Wipro, which saw its network hacked and used for mounting attacks on a dozen of its customers. In a fresh analysis of the indicators of compromise (IOCs), Flashpoint analysts said that the cyberattackers have actually been operating in the shadows for some time – and that the Wipro incident is only its latest effort.

    Reply
  25. Tomi Engdahl says:

    Wipro Threat Actors Active Since 2015
    https://www.flashpoint-intel.com/blog/wipro-threat-actors-active-since-2015/

    As more layers of the Wipro breach are peeled away, new intelligence about the actors behind the attack on one of India’s largest IT outsourcing and consulting organizations has emerged. Evidence uncovered by Flashpoint researchers links the threat actors to other malicious activity dating back to 2017, and possibly 2015, as well as the re-use of infrastructure from those older attacks.

    Also, many legitimate security applications were abused during this campaign. For example, the phishing templates used to ensnare victims inside Wipro match those provided by a security awareness training provider. The attackers also dropped ScreenConnect on the machines it compromised inside Wipro, and some of the domains used in the attack were hosting powerkatz and powersploit scripts.

    Reply
  26. Tomi Engdahl says:

    A MYSTERIOUS HACKER GROUP IS ON A SUPPLY CHAIN HIJACKING SPREE
    https://www.wired.com/story/barium-supply-chain-hackers/?mbid=social_fb&utm_brand=wired&utm_campaign=wired&utm_medium=social&utm_social-type=owned&utm_source=facebook

    A software supply chain attack represents one of the most insidious forms of hacking. By breaking into a developer’s network and hiding malicious code within apps and software updates that users trust, supply chain hijackers can smuggle their malware onto hundreds of thousands—or millions—of computers in a single operation, without the slightest sign of foul play. Now what appears to be a single group of hackers has managed that trick repeatedly, going on a devastating supply chain hacking spree—and becoming more advanced and stealthy as they go.

    Reply
  27. Tomi Engdahl says:

    They’re known as Barium, or sometimes ShadowHammer, ShadowPad, or Wicked Panda, depending on which security firm you ask.

    Reply
  28. Tomi Engdahl says:

    A Mysterious Hacker Group Is On a Supply Chain Hijacking Spree
    https://www.wired.com/story/barium-supply-chain-hackers/

    A software supply chain attack represents one of the most insidious forms of hacking. By breaking into a developer’s network and hiding malicious code within apps and software updates that users trust, supply chain hijackers can smuggle their malware onto hundreds of thousands—or millions—of computers in a single operation, without the slightest sign of foul play. Now what appears to be a single group of hackers has managed that trick repeatedly, going on a devastating supply chain hacking spree—and becoming more advanced and stealthy as they go.

    Reply
  29. Tomi Engdahl says:

    Data Sharing And Digital Threads
    https://semiengineering.com/data-sharing-and-digital-threads/

    Share product information with members of the supply chain without exposing your data.

    The benefits of digital threads
    A digital thread tracks the genealogy and data of a product—from each component right through to the end-product. Given their significant benefits, it is only a matter of time before digital threads become standard operating procedure in manufacturing supply chains. This will bring many benefits:

    Lower RMA costs: Through board-to-chip correlations, faster root cause analysis, running online RMA prevention rules, reducing No-Trouble-Found (NTF) rates and, in the worst case, implementing highly targeted recalls.
    Improved quality and time-to-quality: By reducing time to reach acceptable Defective-Parts-Per-Million (DPPM) goals for new products, creating an online quality link between chips and boards, and using advanced failure prediction techniques such as escape prevention and outlier detection.
    More efficient test processes: Via adaptive testing that uses component data to test “suspect” parts more and “perfect” parts less.
    Better system performance: By avoiding in-spec chips with marginal performance and pairing the right chips with the right board.

    But digital threads require data sharing
    The fundamental principle of a digital thread is that data is shared—inside the organization and with every company along the supply chain. For electronics manufacturers, that could mean data from each component’s fabrication and test phases, through assembly, inspection and rework and finally to usage data from the field.

    A data sharing hub
    The data sharing hub is a trusted entity that facilitates Machine Learning and analytics while hiding the “raw” data from the other members of the supply chain. It is only the insights derived from the data that are shared among the different parties. In the meantime, the hub has the visibility across the entire supply chain that is required to track down where issues stem from—issues that otherwise may have not been discovered until the very end of the supply chain.

    Reply
  30. Tomi Engdahl says:

    Hackers Exploit ASUS Update Process to Install Backdoor
    https://www.securityweek.com/hackers-exploit-asus-update-process-install-backdoor

    The BlackTech cyber-espionage group has been performing man-in-the-middle (MitM) attacks on the update process of the ASUS WebStorage application to deliver the Plead backdoor to their targeted victims, ESET reports.

    Reply
  31. Tomi Engdahl says:

    Can The Hardware Supply Chain Remain Secure?
    https://semiengineering.com/can-the-hardware-supply-chain-remain-secure/

    The growing number of threats are cause for concern, but is it really possible to slip malicious code into a chip?

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*