Chronicle of the Supply Chain Attack and Two Attack Strategies

Explore a comprehensive analysis of supply chain attacks, focusing on the ASUS incident and various cases targeting Korean companies. Delve into two key strategies employed in these attacks: software development environment penetration and update server penetration. Examine artifacts, malware code similarities, and specific techniques used by attackers, including certificate signing, PlugX malware deployment, and selective infection methods. Learn about code tampering, DGA algorithms, and methods for hiding attacker IPs. Gain insights into the attackers' strategies mapped to the ATT&CK Matrix and discover practical applications of this knowledge in cybersecurity.

RSAConference 2020 San Francisco February 24-28 Moscone Center
Contents
What is Supply Chain Attack?
ASUS Supply Chain Attack: Overview ASUS Update Server
ASUS Supply Chain Attack: Type - B
ASUS Supply Chain Attack: Select Infection PC
Case Study: Supply Chain Attack
Case A: Overview
Case A: Certificate signing
Case A: PlugX malware
Case B: Overview
Case B: Plug X malware
Case B: Code Tampering
Case B: Certificate signing
Case B: DGA Algorithm
Case B: Select Infection PC
Case C: Overview
Case C: Hiding attacker IP
Case C: PlugX malware
Case C: Certificate signing
Case C: Select Infection PC • Proxy_Pass : Setting variables set for proxy in the Nginx software
Case C: Distribution Additional Malware
Case D: Overview
Case D: PlugX malware
Case D: Hiding attacker IP
Case E: Overview
Case E: Hijacking account
Association Analysis: Select Infection PC
Association Analysis: Code Tampering ASUS
Association Analysis: Shadow Pad
Association Analysis: PlugX module
Association Analysis: Hiding attacker IP
Association Analysis: Attacker IP
Attack Features and Strategies: ATT&CK Matrix
Apply What You Have Learned Today