Finding a poisonous seed

by Negar Shabab, Noushin Shabab | Friday, 10:00am - 10:30am

Supply chain attacks have become a trend in the past few years. A number of major cyber attacks were delivered through attacking software supply chain. One example of this is the CCleaner incident in which the infection of a few software developer machines resulted in massive infection of end user systems; another more recent example is ShadowHammer story in which the customers of popular ASUS Live Update Utility were served backdoored packages which the attackers managed to get digitally-signed by legitimate ASUS signatures.

This research is dedicated to the investigation of the cyber attacks targeting software supply chain through the infection of the compilers and IDEs used by software developers. Compilers and development platforms are at the core of the software supply chain. An infected compiler that finds its way onto different software developers’ systems, can result in thousands of trojanized software applications. Each of which has potential of being downloaded and installed on a massive number of end user consumer or enterprise systems. The infamous XcodeGhost IDE, an infected version of Apple’s Xcode development environment was an in-the-wild example of such a case. According to the statistics, the number of infected applications compiled by XcodeGhost were in the order of thousands.

Investigating and protecting against these kinds of attacks should always be of utmost importance to security researchers, as this may undermine the trust in the integrity of supply chains and poison the business perspectives of the well-respected software development companies and startups. The victims of such attacks may appear to be selected developers but what is more alarming is that it may also be all the members of the entire software supply chain, all the way through to the end users. The deeper this malicious seed is planted the larger grows the tree of victims.

About Negar Shabab, Noushin Shabab

Negar is an application security consultant with PS&C Group. She works on implementation of security practices into DevOps pipeline with a focus on automation. Before joining PS&C Group she was a senior malware analyst and security software developer. She has worked across the full life cycle of multiple security software products often working in senior and lead roles. She has extensive experience developing anti-malware software modules and security applications for the Windows operating systems. Negar is an active member of the Australian Women in Security Network (AWSN) which aims to support and inspire women in the Australian security industry. She is also a regular speaker at security conferences and delivers technical workshops.

Noushin is a senior security researcher at Kaspersky Lab specialising in reverse engineering and targeted attack investigations. Her research focuses on advanced cyber criminal activities and targeted attacks. Prior to joining Kaspersky Lab, Noushin used to work as a senior malware analyst and software developer with first-hand knowledge of rootkit analysis, detection techniques and APT attack investigations. Noushin is an active speaker at different local and international conferences, some examples are INTERPOL World, MRE, Ruxcon2017, BSides Wellington 2017, Security Analyst Summit(SAS) and AusCERT2018 Conference.