xorl %eax, %eax

Ideas for Software Supply-Chain Attacks Simulation by Red Teams

leave a comment »

The purpose of red teams is to simulate real adversaries to test both the technical security controls and non-technical (e.g. response procedures, DFIR playbooks, and so on) of an organisation. 4 years ago I posted a proposal on how red teams could/should deploy multi-stage C2 infrastructures. Now I’ll highlight another increasing threat for most companies.

Whether this is nation-state actors, shared libraries, hacktivists or anything else in between. Software supply-chain intrusions are getting a lot of attention. So, if you are a red teamer and you’re looking for ideas on how to simulate those, here are a couple of ideas.

Why bother? Well, to provide more value to your customers by a practical assessment on whether they can effectively protect (or at least detect) against supply chain threats.

Internal Code Repositories

Assuming you got access to an endpoint of a developer, administrator, engineer, etc., modify code or configurations in internal code repositories in order to propagate to more systems/networks. For instance check if your “user” can access: Git repositories, CI/CD pipelines, config. management (Saltstack, Ansible, Terraform, Puppet, Cfengine, JAMF, Rudder, Chef, SCCM, etc.), cloud deployment tools, container images, etc. and try to push implants or expand access via those means.

Waterhole-enabled Supply Chain

At some point it is almost certain that you’ll obtain access to something beyond an endpoint. It could be a fileserver, an internal web application server, a cloud/3rd party service, a container running some small service or anything else. Well, instead of trying to pivot via “traditional means” why not modify the service that is offered from this system to push out an implant or take an action to anyone that uses it to increase your access?

In-house Packages/Software

It is possible that you might stumble across some (open source or proprietary) software that is either mirrored internally in some repositories or it’s customised for whatever business reason and hosted in something like a fileserver, a package repository, or something along those lines. Here you could try to trojanize those and wait for them to propagate.

Software Update Solutions

It’s not uncommon for organisations to have automated or semi-automated solutions for performing software updates. If you could modify those updates to include an implant you could very effectively emulate a supply-chain propagation. Hint: Some of those systems rely on inherently insecure protocols (e.g. FTP, TFTP, SMTP, HTTP, etc.) so you could even hijack/MiTM/trojanize them on the network-level if you have access to the links they are passing to/from.

Fleet Management

Similarly to the previous one, even small organisations will rely on one (or more) fleet management solutions and if you manage to get access there it’s, more or less, the same as having a nice C2 preconfigured for you. So, why not use that to expand your access?

Pre-agreed Access

It is possible that as part of your Statement of Work (SoW) you will be given some limited access. If you aim on evaluating the supply-chain capabilities of that organisation, you could ask for access to some internal application or, even better, a 3rd party system/application/service the organisation relies on and use that as your starting point. Meaning, the engagement starts under the assumption that this 3rd party is compromised.

I’m pretty sure there are tons more concepts that a red team could take advantage of depending on the organisation they target. But hopefully the above gives you some ideas on how to evaluate supply-chain threats in a relatively controlled but realistic manner.

Written by xorl

April 7, 2022 at 15:21

Posted in security

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: