As a red teamer or a penetration tester, one of the most important things you should be aware of is the supply chain attacks that can cripple any organization. In a supply chain attack, the attacker targets the weakest link in the chain, whether it is a third-party vendor, a supplier, or a manufacturer, to gain access to the organization’s network. Once inside, the attacker can move laterally and gain control of other systems, steal sensitive information, or disrupt operations. In this article, we will discuss advanced red team exercises, specifically focusing on supply chain attacks.

Previously on… Advanced Red Team Exercises

Before we dive into the topic, let’s do a quick recap of the five phases of a typical red team exercise:

  1. Reconnaissance: In this phase, the red team gathers information about the target organization, including its network topology, infrastructure, and employees.
  2. Weaponization: In this phase, the red team creates a plan of attack, including the tools and techniques to be used.
  3. Delivery: In this phase, the red team delivers the payload, which could be a phishing email or a malicious file.
  4. Exploitation: In this phase, the red team exploits the vulnerability to gain access to the target system.
  5. Post-exploitation: In this phase, the red team establishes persistence and moves laterally to gain access to other systems and data.

Now that we have recapped the five phases of a typical red team exercise, let’s move on to supply chain attacks.

What are Supply Chain Attacks?

In a supply chain attack, the attacker targets a third-party vendor, supplier, or manufacturer to gain access to the target organization’s network. The attacker can use a variety of methods to exploit vulnerabilities in the supply chain, including:

  • Malware injection: The attacker injects malware into the software or hardware components of the supply chain, which is then installed on the target organization’s network.
  • Social engineering: The attacker tricks an employee of the supply chain to provide access to the target organization’s network.
  • Exploiting vulnerabilities: The attacker exploits vulnerabilities in the software or hardware components of the supply chain to gain access to the target organization’s network.

Real-World Examples of Supply Chain Attacks:

Let’s take a look at some real-world examples of supply chain attacks:

  • SolarWinds Attack: In December 2020, it was discovered that the SolarWinds Orion software had been compromised by a sophisticated supply chain attack. The attacker injected malware into the software, which was then installed on the target organization’s network. The malware was able to bypass antivirus software and gain access to sensitive data.
  • Target Attack: In 2013, Target suffered a major data breach, which was the result of a supply chain attack. The attacker gained access to Target’s network through a third-party vendor that had access to Target’s payment system. The attacker was able to steal the credit card information of 40 million customers.
  • CCleaner Attack: In 2017, it was discovered that the popular system optimization tool, CCleaner, had been compromised by a supply chain attack. The attacker injected malware into the CCleaner software, which was then installed on the target organization’s network. The malware was able to steal sensitive data, including passwords and financial information.

Advanced Red Team Exercises - Supply Chain Attacks

Now that we have an understanding of what supply chain attacks are and some real-world examples, let’s discuss how red teamers can simulate supply chain attacks in their exercises.

Reconnaissance

Reconnaissance is a crucial phase in any red team exercise, especially when simulating a supply chain attack. In this phase, the red team gathers information about the supply chain, including its vendors, suppliers, and manufacturers. The purpose of this phase is to identify vulnerabilities in the supply chain that can be exploited to gain access to the target organization’s network.

There are several techniques that the red team can use to gather information about the supply chain, including:

Passive Reconnaissance

Passive reconnaissance involves gathering information about the supply chain without directly engaging with it. The goal of passive reconnaissance is to gather as much information about the supply chain as possible without alerting anyone in the organization. Some of the techniques used in passive reconnaissance include:

  • Google Dorking: This technique involves using advanced search operators in Google to find information about the supply chain. For example, using the site: operator to search for information on a specific website.
  • Social Media: Social media platforms can be a rich source of information about the supply chain. The red team can search for employees of the supply chain and gather information about their job titles, responsibilities, and affiliations.
  • Job Postings: Job postings can provide valuable information about the supply chain. The red team can use job postings to identify the type of work being done by the supply chain and the technologies they are using.

Active Reconnaissance

Active reconnaissance involves actively engaging with the supply chain to gather information. The goal of active reconnaissance is to gather more detailed information about the supply chain and identify vulnerabilities that can be exploited. Some of the techniques used in active reconnaissance include:

  • Phishing: Phishing is a common technique used to gather information about the supply chain. The red team can send phishing emails to employees of the supply chain, which can be used to gather information about the organization, including its infrastructure and employees.
  • Social Engineering: Social engineering is the art of manipulating people to reveal confidential information. The red team can use social engineering techniques to gather information about the supply chain, such as pretending to be an IT administrator and asking for login credentials.
  • Open-Source Intelligence (OSINT): OSINT is a technique used to gather information from publicly available sources. The red team can use OSINT to gather information about the supply chain, such as the type of software they are using and any vulnerabilities that have been identified.

Vendor Assessment

Vendor assessment is a technique used to evaluate the security posture of the supply chain. This involves assessing the vendor’s security controls, including their policies and procedures, to identify any vulnerabilities that can be exploited. Some of the techniques used in vendor assessment include:

  • Penetration Testing: Penetration testing involves testing the security of the vendor’s network to identify vulnerabilities that can be exploited.
  • Vulnerability Assessment: Vulnerability assessment involves identifying vulnerabilities in the vendor’s network and prioritizing them based on risk.
  • Red Team Exercises: Red team exercises involve simulating an attack on the vendor’s network to identify vulnerabilities that can be exploited.

By using a combination of passive and active reconnaissance techniques, along with vendor assessments, the red team can gather detailed information about the supply chain and identify vulnerabilities that can be exploited to gain access to the target organization’s network.

Weaponization

Weaponization is the second phase of a red team exercise and is crucial in simulating a supply chain attack. In this phase, the red team creates a plan of attack, including the tools and techniques to be used to exploit vulnerabilities in the supply chain.

There are several methods that the red team can use to weaponize the attack, including:

Malware Injection

Malware injection involves injecting malware into the software or hardware components of the supply chain, which is then installed on the target organization’s network. The malware can be designed to steal sensitive data, establish a backdoor, or create a botnet that can be used to launch further attacks.

The red team can use several techniques to inject malware into the supply chain, including:

  • Watering Hole Attacks: Watering hole attacks involve compromising a legitimate website that employees of the supply chain are likely to visit. The red team can inject malware into the website, which is then downloaded by the employee when they visit the site.
  • Software Supply Chain Attacks: Software supply chain attacks involve compromising the software used by the supply chain, such as a software update. The red team can inject malware into the update, which is then installed on the target organization’s network.

Social Engineering

Social engineering involves manipulating people to reveal confidential information. The red team can use social engineering techniques to gain access to the supply chain and exploit vulnerabilities. Some of the techniques used in social engineering include:

  • Spear Phishing: Spear phishing involves sending targeted phishing emails to employees of the supply chain. The email is designed to look like it comes from a legitimate source and asks the employee to provide login credentials or click on a link that installs malware.
  • Impersonation: Impersonation involves pretending to be someone else to gain access to the supply chain. The red team can pretend to be an IT administrator and ask the employee for their login credentials or install malware.

Exploiting Vulnerabilities

Exploiting vulnerabilities involves using software or hardware vulnerabilities to gain access to the supply chain. The red team can use several techniques to exploit vulnerabilities, including:

  • Remote Code Execution: Remote code execution involves running code on a remote system. The red team can use vulnerabilities in the supply chain to execute code on the target organization’s network.
  • Buffer Overflow: Buffer overflow involves exploiting a vulnerability in a software program that allows the red team to overwrite memory with malicious code.

By using a combination of malware injection, social engineering, and exploiting vulnerabilities, the red team can create a plan of attack that can exploit weaknesses in the supply chain to gain access to the target organization’s network.

It is essential to note that the red team should use discretion when creating the plan of attack. The red team should ensure that they do not cause harm to the supply chain or the target organization. The red team should also ensure that they follow ethical guidelines and obtain permission from the target organization before conducting any red team exercises.

Delivery

Delivery is the third phase of a red team exercise, and in the context of a supply chain attack, it involves delivering the payload to the supply chain. The payload is the malicious code or software that the red team has developed in the weaponization phase. The goal of this phase is to get the payload onto the supply chain’s network and into the target organization’s network.

There are several techniques that the red team can use to deliver the payload, including:

Phishing

Phishing is a common technique used to deliver the payload. The red team can send phishing emails to employees of the supply chain, which contain the payload or a link to download the payload. The email is designed to look like it comes from a legitimate source and encourages the employee to download the payload.

To make the phishing email more effective, the red team can use several techniques, including:

  • Spear Phishing: Spear phishing involves sending a targeted email to a specific employee of the supply chain. The email is designed to look like it comes from a legitimate source, such as an IT administrator, and encourages the employee to download the payload.
  • Pretexting: Pretexting involves creating a false scenario to trick the employee into downloading the payload. For example, the red team can pretend to be a security consultant and ask the employee to download the payload to test the network’s security.

Malicious Websites

The red team can create a malicious website that employees of the supply chain are likely to visit. The website contains the payload, which is downloaded onto the employee’s computer when they visit the site.

To make the website more effective, the red team can use several techniques, including:

  • Watering Hole Attacks: Watering hole attacks involve compromising a legitimate website that employees of the supply chain are likely to visit. The red team can inject the malicious code into the website, which is downloaded by the employee when they visit the site.
  • Typosquatting: Typosquatting involves creating a website that is similar in name to a legitimate website. For example, if the supply chain uses the domain name “supplychain.com,” the red team can create a website with the domain name " suplychain.com." The employee is likely to visit the fake website by mistake and download the payload.

Software Updates

The red team can compromise the software used by the supply chain, such as a software update. The red team can inject the payload into the update, which is then installed on the target organization’s network.

To make the software update more effective, the red team can use several techniques, including:

  • Social Engineering: The red team can impersonate an IT administrator and ask the employee of the supply chain to download the software update. The employee is more likely to trust the email if it appears to come from a legitimate source.
  • Watering Hole Attacks: The red team can compromise a legitimate website that employees of the supply chain are likely to visit and redirect them to the fake software update site.

Exploitation

Exploitation is the fourth phase of a red team exercise, and in the context of a supply chain attack, it involves exploiting vulnerabilities in the supply chain to gain access to the target organization’s network.

There are several techniques that the red team can use to exploit vulnerabilities in the supply chain, including:

Remote Code Execution

Remote code execution (RCE) involves running code on a remote system. The red team can use vulnerabilities in the supply chain to execute code on the target organization’s network. This technique can be used to gain access to the target organization’s network, establish a backdoor, or steal sensitive data.

To execute code remotely, the red team can use several techniques, including:

  • SQL Injection: SQL injection involves injecting SQL code into a vulnerable website to execute commands on the target organization’s network.
  • Cross-Site Scripting (XSS): Cross-site scripting involves injecting malicious code into a vulnerable website to execute commands on the target organization’s network.

Buffer Overflow

Buffer overflow involves exploiting a vulnerability in a software program that allows the red team to overwrite memory with malicious code. This technique can be used to gain access to the target organization’s network, establish a backdoor, or steal sensitive data.

To exploit buffer overflow vulnerabilities, the red team can use several techniques, including:

  • Fuzzing: Fuzzing involves sending large amounts of data to a software program to trigger a buffer overflow vulnerability.
  • Code Analysis: Code analysis involves examining the source code of a software program to identify vulnerabilities, such as buffer overflow vulnerabilities.

Privilege Escalation

Privilege escalation involves gaining elevated privileges on the target organization’s network. The red team can use privilege escalation to gain access to sensitive data, install malware, or establish a backdoor.

To escalate privileges, the red team can use several techniques, including:

  • Exploiting Misconfigured Services: Misconfigured services can provide an entry point for the red team to escalate privileges on the target organization’s network.
  • Exploiting Weak Credentials: Weak credentials can be exploited by the red team to escalate privileges on the target organization’s network.

Post-exploitation

Post-exploitation is the fifth and final phase of a red team exercise, and in the context of a supply chain attack, it involves maintaining persistence and controlling the target organization’s network. The goal of this phase is to maintain access to the target organization’s network and steal sensitive data or carry out further attacks.

There are several techniques that the red team can use to maintain persistence and control the target organization’s network, including:

Backdoors

Backdoors are a type of malware that provide the red team with continued access to the target organization’s network. The red team can use several techniques to install backdoors, including:

  • Remote Access Trojans (RATs): RATs are a type of malware that provide the red team with remote access to the target organization’s network. RATs can be installed on the target organization’s network through phishing emails, malicious websites, or software updates.
  • Web Shells: Web shells are a type of malware that provide the red team with access to a web server. Web shells can be installed on the target organization’s network through vulnerabilities in the web server.

Credential Theft

Credential theft involves stealing login credentials to gain access to the target organization’s network. The red team can use several techniques to steal login credentials, including:

  • Keyloggers: Keyloggers are a type of malware that capture keystrokes on the target organization’s network. Keyloggers can be installed on the target organization’s network through phishing emails, malicious websites, or software updates.
  • Password Cracking: Password cracking involves using software to crack password hashes. The red team can use password cracking to obtain login credentials for the target organization’s network.

Data Exfiltration

Data exfiltration involves stealing sensitive data from the target organization’s network. The red team can use several techniques to exfiltrate data, including:

  • File Transfer Protocol (FTP): FTP is a protocol used to transfer files between computers on the network. The red team can use FTP to transfer sensitive data from the target organization’s network to a remote server.
  • Cloud Storage: Cloud storage services can be used to exfiltrate sensitive data from the target organization’s network. The red team can upload the data to the cloud storage service and then download it onto a remote server.

The post-exploitation is a crucial phase of a red team exercise, especially in the context of a supply chain attack. The red team can use a variety of techniques to maintain persistence and control the target organization’s network, including installing backdoors, stealing login credentials, and exfiltrating data.

Conclusion

In conclusion, supply chain attacks are a major threat to organizations, and red teamers should be aware of how to simulate them in their exercises. By using a combination of OSINT, phishing, malware injection, and exploitation techniques, red teamers can simulate supply chain attacks and help organizations identify vulnerabilities in their supply chain. Remember, the best defense against supply chain attacks is to have a solid security program in place that includes monitoring your supply chain for vulnerabilities and regularly conducting security assessments. Stay safe out there!