#AxisOfEasy 183: Supermicro Hacked For Years, Big Tech Supply Chain Compromised By China

Weekly Axis Of Easy #183

Last Week’s Quote was “The larger the government becomes and the fewer small businesses there are the more docile society becomes” was Marc Faber, nobody got it.

This Week’s Quote: “That millions of people share the same forms of mental pathology does not make these people sane”… by???

THE RULES: No searching up the answer, must be posted to the blog – the place to post the answer is at the bottom of the post, in the comments section.

The Prize: First person to post the correct answer gets their next domain or hosting renewal is on us.

Note: I mistakenly said that nobody got the quote for issue #180, it was Eric Hoffer but Larry Fast did get it, I missed it, sorry.

In this issue:

  • Supermicro hacked for years, supply chain compromised by China
  • Typosquatting package names to penetrate companies
  • New phishing attack encodes malicious URLs in Morse code
  • Barcode scanner app infects 10M Google Play users with one update
  • WordPress Responsive Menu plugin exposes sites to remote takeover  
  • QuadrigaCX website briefly resurfaces as a phishing site
  • Court records show FBI able to obtain Signal messages from iPhone (Keybase / Zoom)
  • Journo’s fret that Clubhouse conversations can’t be archived and “fact-checked”
  • AxisOfEasy Salon #37: Nation State Conformity vs Network State Cacophony


Supermicro hacked for years, Big Tech supply chain compromised by China

This in-depth Bloomberg piece by Jordan Robertson, Michael Riley and Jennifer Jacobs describes how US authorities discovered, to their chagrin, a sophisticated supply chain compromise that traced back to Chinese intelligence agencies and how the investigation has been going on for years, without ever notifying the subject of the breach: Silicon Valley based Supermicro.  

This was done by hacking the Supermicro motherboards and inserting an unauthorized chip that executed instructions when the servers they were installed on booted up. From there entire various downstream customers were compromised, including Intel in 2014 when their systems downloaded malware from a single Supermicro update server. In 2015 the FBI warned numerous companies that an extra chip with a backdoor embedded had been concealed in a manufacturer’s servers, and that manufacturer was Supermicro.

The FBI discovered and then decided to keep secret their discovery, instead opting, as the article details, to carefully craft an investigation and counter-intelligence operation around their findings to better assess Chinese intelligence capabilities. The investigation went on for years but is not known if it still continues. The article builds on a previous one published in Bloomberg’s Businessweek in 2018 which is not linked in the article but it is still online here and we covered it in AxisOfEasy #69. Amazon, Apple and even the US government refuted the story at the time, yet the newer article says they now have a much bigger picture of where that article started.

The article also touches on supply chain concerns around Chinese Lenova Group and how a group of laptops being used by combat troops in Iraq had to be pulled out of the field when they were discovered to contain a chip on the motherboard that would “record all the data that was being inputted into that laptop and send it back to China.”

After the recent SolarWinds attack, supply chain security (or lack thereof) is in the forefront now. Although that one was attributed to RRRRussia! via oblique and circular references, the evidence around Chinese Intelligence agencies having successfully compromised numerous high tech supply chains is more compelling in my mind, and worrisome. If one of the possible outcomes in a post-pandemic world is, as I surmised on my personal blog’s “Jackpot Chronicles” is an impetus toward deglobalization, then supply chain security could be another big motivation for pulling manufacturing of critical or sensitive components back home.

Read: https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

Typosquatting package names to penetrate companies

Speaking of supply chain hacks, a reader sent me this article (h/t Tom Keenoy) because it made reference and use of a technique called “DNS Exfiltration” to collect data on a proof-of-concept supply chain attack using another vector entirely: typosquatting linux package names. Using this method a security researcher named Alex Birsan was able to penetrate Apple, Microsoft “and dozens of other companies.”

Various open source code repositories house user contributed software packages and they don’t necessarily do any code audits of the packages released there. Then various operating systems use package managers to easily install software that could otherwise be a rather long and complex process (I remember back in my days at Toronto ISP Inforamp, when my boss told me to “install perl” on one of our servers, that was basically my morning. Now, if it isn’t already installed it’s a matter of typing “apt-get install perl” or something similar and it’s done in under 60 seconds.)
This type of attack is not new, we reported on a compromised npm package way back in AxisOfEasy 77 that made reference to an even earlier conceptual post talking about the theoretical vulnerability.

In this case the researchers found a piece of public code (belonging to PayPal, as it so happens) that made some package references to both public and internal, private repositories – the latter would be proprietary PayPal code not released for public consumption, which their package managers would (or should) call to and load and install from PayPal internal servers. Their idea was to see what would happen if they created their own packages using the same name as the internal, not-for-public consumption ones, and then place them on the public code repositories.

When internal builds were running, would any of them accidentally default to the public repository when grabbing a given software package?

The results were staggering when they tried it, and in order to collate their data they used DNS exfiltration techniques to catalog how far their proof-of-concept “rogue” packages had proliferated.

“From one-off mistakes made by developers on their own machines, to misconfigured internal or cloud-based build servers, to systemically vulnerable development pipelines, one thing was clear: squatting valid internal package names was a nearly sure-fire method to get into the networks of some of the biggest tech companies out there, gaining remote code execution, and possibly allowing attackers to add backdoors during builds.”

Birsan calls the technique “dependency confusion” and so far at the time he wrote it up on Medium, it had worked across 35 organizations.

New phishing attack encodes malicious URLs in Morse code

One of the telling features of a lot of malware in email is the requirement to obfuscate their payloads. That way they hope to circumvent antivirus scanners who look for specific URLs and code snippets.

This new method of obfuscation is first: it encoded the URL payload in a phishing email into a JavaScript function using Morse code.

The phish was an attempt to garner victims Office 365 login credentials by prompting them to log in to what would be a fake login screen: it would display a “login time out, please try again message” – collect the user’s credentials, before redirecting them to the actual site.

Barcode scanner app infects 10M Google Play users with one update

Recently reports started surfacing on the Malware Bytes discussion forums from Android users who were suddenly experiencing issues where their default device browsers were opening ad pages from unrelated websites.

The Malware Bytes researchers began digging into it and found that a single fairly straightforward Barcode Scanner app available in the Google Play store had become infected with a type of adware. Worse, over 10M users had it installed on their devices and it looked like via a recent update, they would all have become infected.

It appears as though Malware Bytes originally and erroneously ascribed the threat actor to  what looked to be the app developer, but they issued and update and a correction indicating that said developer was not responsible and being prompt and cooperative in their inquiries.

What actually happened was the Barcode Scanner app was sold to a new entity, which has not been answering inquiries and who seems to have had taken possession of the app prior to the update which introduced the infection.

The app has subsequently been removed from the Google Play store.

Read: https://blog.malwarebytes.com/android/2021/02/who-is-to-blame-for-the-malicious-barcode-scanner-that-got-on-the-google-play-store/

WordPress Responsive Menu plugin exposes sites to remote takeover 

Via the team at WordFence we got a heads up that a bug in the Responsive Menus WordPress plugin, attackers could gain remote code execution and site takeover of a site that had it installed. Over 100K websites would have been affected. The developers fixed the problem last month.

If you’re an easyPress user, we’ve already updated anybody who was affected.

QuadrigaCX website briefly resurfaces as a phishing site

Here’s a blast from the past as QuadrigaCX{.}com, the actual, official domain name of the now defunct Canadian crypto exchange, briefly came back to life last week and presented a complete replica of the old QuadrigaCX site.

Recall, QuadrigaCX was the crypto exchange that went up in smoke in early 2010 when its CEO, Gerald Cotten, purportedly died in India and was the only person with the password to his laptop, which contained the private keys to the exchange’s cold wallets. Something like $170 million CAD worth of BTC (worth perhaps 2X now) was marooned in cyberspace and is presumably lost forever.

Ernst and Young, the court appointed trustee in the firms liquidation put out a statement that the website was unauthorized and under no circumstances should anybody enter their login credentials into it, let alone attempt to purchase or deposit Bitcoin there.

We delved into this one ourselves, given that QuadrigaCX was an early Domainsure client, and we duly tried to have the site taken down.

We wrote up the details of our experience here:

Read: https://easydns.com/blog/2021/02/09/somebody-has-gained-access-to-the-quadrigacx-domain-and-has-set-up-a-fake-version-of-the-site/

Court records show FBI able to obtain Signal messages from iPhone (Keybase /Zoom)

A Forbes article referenced some court documents in which FBI investigators were able to obtain messages from Signal, the ostensibly secure messaging app. It appears as though in the course of investigating a gun running operation in New York State, messages were obtained from an iPhone in an “AFU” state – which apparently means “After First Unlock” – which means the phone has been unlocked, the screen lock is back on, but the app has not been shut down.

It seems to be possible to obtain Signal messages in this state because the decryption keys are store in memory. It also may be the case that this was only a factor on iOS 11, and possibly 12. Later versions of iOS had more robust security features.

We link to the original Forbes article and then a Mac Daily News commentary on it for some additional context – h/t to the reader who sends me a lot of these.

Read: https://www.forbes.com/sites/thomasbrewster/2021/02/08/can-the-fbi-can-hack-into-private-signal-messages-on-a-locked-iphone-evidence-indicates-yes/?sh=31832ae66244

And: https://macdailynews.com/2021/02/10/court-evidence-shows-fbi-accessed-signal-texts-on-locked-iphone/

On the topic of encrypted apps I only just learned that Keybase had been acquired by Zoom last year, I completely missed that one.

Read: https://www.cnbc.com/2020/05/07/zoom-buys-keybase-in-first-deal-as-part-of-plan-to-fix-security.html

Journo’s fret that Clubhouse conversations can’t be archived and “fact-checked”

At least a few journalists (one of whom is a frequent tech contributor to the New York Times) is ruminating that the new group chat social media platform Clubhouse cannot be “fact checked” because the communications are all audible (group teleconferences, basically) and not recorded and archived. I’ve seen tweets from Bluecheck twitter hopping on this bandwagon as well:

“This is about PLATFORM. With Clubhouse, you can have a new platform with maybe unlimited reach to spread lies. We’ve had this conversation a thousand times. For real, guys, it’s not that difficult.”

To truly capture the mindset of these people, after noting that the Chinese Communist Party had cracked down on Clubhouse because citizens were using it to communicate with foreigners without censorship, the original op-ed concludes:

“If Xi Jinping’s administration isn’t ignoring Clubhouse, why should fact-checkers? Why should you?”

Answer: Because I’m neither a boot licker nor an authoritarian, that’s why.

Op Ed: https://www.poynter.org/fact-checking/2021/factually-what-will-fact-checkers-find-on-clubhouse/

And: https://reason.com/2021/02/12/journalists-worried-about-people-having-conversations-on-clubhouse/

AxisOfEasy Salon #37: Nation State Conformity vs Network State Cacophony

On the AxisOfEasy Salon last week, Charles, Jesse and I reconvened to talk about the difference between Network State Conformity and Network State Cacophony:

Watch: https://axisofeasy.com/podcast/salon-37-the-tension-between-nation-state-conformity-and-network-state-cacophony/


One thought on “#AxisOfEasy 183: Supermicro Hacked For Years, Big Tech Supply Chain Compromised By China

Leave a Reply

Your email address will not be published. Required fields are marked *