Supply Chain Compromise Analysis: T1195 – Compromised Software Update

by

CrowdStrike Falcon Alert Details

Alert ID: CS-ALERT-7842-SUPPLYCHAIN
Alert Time: 2024-01-26 09:42:18 EST
Severity: CRITICAL (92/100)
Detection: “Software Updater Executing Suspicious Child Process”
MITRE ATT&CK: T1195 – Supply Chain Compromise, T1059.001 – PowerShell

Host Information:

  • Hostname: DEV-WS-045 (Development Environment)
  • User: dchen (David Chen, Software Engineer)
  • Department: Software Development
  • OS: Windows 11 Enterprise 22H2
  • IP: 192.168.100.45

Alert Details:

Detection Logic: Living Off the Land (LotL) Behavior - Legitimate Updater Spawning Unusual Child Process

Process Chain:
Parent Process: C:\Program Files\ChartTool\Updates\ChartToolUpdater.exe
- Publisher: "ChartTool Inc." (Valid certificate, expires 2024-12-31)
- MD5: 8a7b6c5d4e3f2a1b...
- File Version: 3.2.1.7842
- Command Line: "ChartToolUpdater.exe /silent /update"

Child Process: powershell.exe
- PID: 7842
- Command Line: powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -EncodedCommand JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwA...
- Parent-Child Relationship Anomaly Score: 98/100

Additional Context:
- ChartToolUpdater.exe normally spawns: msiexec.exe, setup.exe, ChartTool.exe
- First observed instance of spawning powershell.exe
- Network connection attempted: 194.165.32[.]89:443 (Bulgaria)
- Process hollowing detected in ChartToolUpdater.exe memory space

Threat Intelligence:
- IP 194.165.32[.]89 associated with Lazarus Group infrastructure
- ChartTool software version 3.2.1 was released 7 days ago
- No other hosts in environment show this parent-child relationship

Prevalence Data:

  • Environment Prevalence: 1/850 hosts (0.12%)
  • Industry Prevalence: 0.05% (Very rare)
  • Confidence: High (98%)

SOC Investigation Process

Phase 1: Initial Triage & Validation (09:42-10:00 EST)

Tools: CrowdStrike Falcon Console, Splunk SIEM, Active Directory

  1. Alert Verification:
    • Verified alert in CrowdStrike Falcon console
    • Confirmed process tree anomaly via Falcon Process Explorer
    • Checked user’s development role and access permissions
  2. Immediate Containment:
    • Isolated host via CrowdStrike Falcon Network Containment
    • Disabled ChartTool update service enterprise-wide via Group Policy
    • Blocked malicious IP at firewall (Palo Alto Networks)
    • Notified Development team lead about potentially compromised software
  3. Initial Analysis:
    • ChartTool is a third-party charting library used by 45% of development team
    • Last updated automatically via WSUS 7 days ago
    • User reported “unusual system slowdown” this morning

Phase 2: Process & Memory Analysis (10:00-11:30 EST)

Tools: CrowdStrike Falcon OverWatch, Volatility, Windows Defender ATP

  1. Process Forensic Analysis:
    • Parent Process (ChartToolUpdater.exe):
      • Digital signature valid but timestamp shows signing after known compromise window
      • File hash mismatch with vendor’s official version 3.2.1
      • Memory analysis shows injected shellcode in .text section
    • Child Process (PowerShell):
      • Decoded command: Downloads Cobalt Strike beacon from C2
      • Execution attempts to disable AMSI and Windows Defender
      • Creates scheduled task for persistence: “ChartToolMaintenance”
  2. Memory Forensics:
    • Captured RAM dump via CrowdStrike Falcon Live Response
    • Volatility analysis revealed:
      • Process hollowing in ChartToolUpdater.exe
      • Unpacked malicious payload in memory: payload.bin
      • Hooked API calls to evade detection
  3. Code Analysis:
    • Disassembled malicious section of updater
    • Found backdoor function: verify_update_legitimacy() (malicious)
    • Embedded encrypted configuration for C2 communication

Phase 3: Software Supply Chain Investigation (11:30-13:00 EST)

Tools: Software Bill of Materials (SBOM) Scanner, VirusTotal API, Vendor Communication

  1. Vendor Analysis:
    • Contacted ChartTool Inc. security team
    • Verified their update server was compromised 10 days ago
    • Official statement: “Limited number of downloads affected between Jan 19-21”
  2. Environment Impact Assessment:
    • Searched for ChartTool installations across enterprise:powershellGet-WmiObject -Query “SELECT * FROM Win32_Product WHERE Name LIKE ‘%ChartTool%'”
    • Found 428 installations, 312 updated in vulnerability window
    • Of those, 45 showed similar anomalous behavior
  3. Update Server Analysis:
    • Reviewed WSUS logs for ChartTool updates
    • Found update package downloaded from updates.charttool[.]com (legitimate)
    • But secondary payload downloaded from cdn.chart-tool[.]net (malicious domain)

Phase 4: Threat Hunting & Scope (13:00-14:30 EST)

Tools: Microsoft Defender for Endpoint Advanced Hunting, Tanium, Splunk ES

  1. Enterprise-Wide Hunting:kqlDeviceProcessEvents | where InitiatingProcessFileName =~ “ChartToolUpdater.exe” | where FileName =~ “powershell.exe” or FileName =~ “cmd.exe” | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
    • Results: 12 additional hosts with similar behavior
    • All in Development and QA departments
  2. Network Traffic Analysis:
    • Reviewed firewall logs for C2 communication
    • Found beaconing to 194.165.32[.]89 from 8 hosts
    • Data exfiltration attempts: Sending system info and network topology
  3. Impact Assessment:
    • Data Accessed: Development source code, build configurations
    • Systems Compromised: Developer workstations only
    • Lateral Movement: None detected (contained early)
    • Data Exfiltration: Minimal (system reconnaissance data only)

Phase 5: Containment & Remediation (14:30-16:30 EST)

Tools: Microsoft Intune, Group Policy, PowerShell, WSUS

  1. Immediate Containment:
    • Network isolated all 12 affected hosts
    • Disabled ChartTool update service globally
    • Blocked malicious domains at DNS and firewall
    • Revoked ChartTool’s network access via 802.1x policy
  2. Software Remediation:
    • Rolled back to ChartTool version 3.1.9 (known clean)
    • Deployed Microsoft Defender Application Control rule to block version 3.2.1
    • Updated Software Restriction Policy to block compromised updater hash
  3. System Cleanup:
    • Removed malicious scheduled tasks and registry entries
    • Cleared PowerShell execution history and event logs
    • Rebuilt 12 affected workstations from clean images

Phase 6: Prevention & Hardening (16:30-17:30 EST)

Tools: Microsoft Defender Application Guard, HashiCorp Vault, Azure Policy

  1. Supply Chain Security Enhancements:
    • Implemented software update verification via code signing check
    • Deployed SBOM scanning for all third-party software
    • Created software allowlist for development tools
  2. Detection Improvements:
    • Created custom CrowdStrike IOA rule for updater anomalies
    • Enhanced Microsoft Sentinel rules for supply chain attacks
    • Implemented network segmentation for developer workstations

Jira Incident Report

Ticket: SOC-2024-026
Summary: T1195 – Supply Chain Compromise via ChartTool Software Update
Status: RESOLVED
Resolution: MALICIOUS – Software Supply Chain Attack
Priority: P1 – CRITICAL
Labels: T1195, supply-chain, software-update, living-off-land, powershell, development
Components: Endpoint-Security, Threat-Hunting, Software-Security

INCIDENT ANALYSIS REPORT

1. Initial Context:

  • Detection Source: CrowdStrike Falcon EDR – Behavioral Detection.
  • Alert: “Software Updater Executing Suspicious Child Process” – Living Off the Land (LotL) behavior.
  • Host: DEV-WS-045 (Development Department, David Chen).
  • Time: 2024-01-26 09:42 EST.
  • Technique: MITRE ATT&CK T1195 (Supply Chain Compromise) via compromised legitimate updater.

2. Technical Analysis:

  • Attack Vector: Compromised ChartTool software update (version 3.2.1).
  • Infection Chain:
    1. Legitimate ChartToolUpdater.exe (signed) downloads from vendor’s compromised update server.
    2. Updater contains malicious code that executes via process hollowing.
    3. Malicious payload spawns PowerShell with encoded command to download Cobalt Strike beacon.
    4. Beacon establishes C2 communication to 194.165.32[.]89:443.
    5. Attempts reconnaissance and establishes persistence via scheduled tasks.
  • Malware Analysis:
    • Primary Payload: Modified ChartToolUpdater.exe with injected shellcode.
    • Behavior: Process hollowing, AMSI bypass, PowerShell execution.
    • C2 Protocol: TLS with custom certificate mimicking ChartTool domain.
    • Persistence: Scheduled task “ChartToolMaintenance” and registry Run key.
  • Supply Chain Details:
    • Vendor: ChartTool Inc. confirmed their CDN was compromised Jan 19-21, 2024.
    • Compromise Method: Attackers uploaded malicious update package to vendor’s distribution server.
    • Scope: Updates distributed between Jan 19-21 contain backdoor.
    • Digital Signatures: Certificates were valid but applied post-compromise.
  • Impact Assessment:
    • Compromised Hosts: 12 development workstations.
    • Data Accessed: Source code repositories, development environment configurations.
    • Lateral Movement: None successful (contained via network segmentation).
    • Data Exfiltration: System information sent to C2 (no source code confirmed).

3. Investigation Findings:

  • Forensic Timeline:text2024-01-19: ChartTool vendor CDN compromised 2024-01-20: Malicious update package uploaded to vendor server 2024-01-21: WSUS downloads compromised update to internal server 2024-01-24: DEV-WS-045 automatically updates ChartTool via WSUS 2024-01-26 09:40: Malicious updater executes, spawns PowerShell 2024-01-26 09:42: CrowdStrike detects anomalous parent-child process 2024-01-26 09:45: Host isolated, investigation begins
  • Indicators of Compromise (IoCs):textFile Hashes: – ChartToolUpdater.exe (compromised): SHA256=8a7b6c5d4e3f2a1b… – ChartToolUpdater.exe (clean v3.1.9): SHA256=1b2c3d4e5f6a7b8… – Memory payload: SHA256=9c8d7e6f5a4b3c2… Network Indicators: – C2 IP: 194.165.32[.]89:443 – Malicious Domain: cdn.chart-tool[.]net – User Agent: ChartTool-Update/3.2.1 Registry & Artifacts: – HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ChartToolUpdate – Scheduled Task: \Microsoft\Windows\ChartTool\ChartToolMaintenance – PowerShell Log: %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

4. Containment Actions:

  • Immediate Containment (09:42-10:15 EST):
    • Isolated 12 affected hosts via CrowdStrike Falcon Network Containment.
    • Disabled ChartTool update service globally via Group Policy.
    • Blocked C2 IP and domains at firewall and DNS (Cisco Umbrella).
    • Notified vendor and pulled all ChartTool updates from WSUS.
  • Forensic Collection (10:15-12:00 EST):
    • Captured memory and disk images from 3 representative hosts.
    • Extracted malicious updater binaries and memory artifacts.
    • Preserved network traffic captures from border firewall.
  • Remediation (12:00-16:30 EST):
    • Rolled back all ChartTool installations to version 3.1.9 (verified clean).
    • Rebuilt 12 compromised workstations from clean images.
    • Deployed Microsoft Defender Application Control policy to block compromised version.
    • Implemented software update verification workflow for all third-party tools.

5. Root Cause Analysis:

  • Primary Cause: Compromised vendor update distribution server (ChartTool Inc. CDN).
  • Contributing Factors:
    1. Vendor Security: Insufficient integrity checks on update packages.
    2. Internal Controls: No software bill of materials (SBOM) verification.
    3. Detection Gap: Behavioral monitoring didn’t flag updater anomalies initially.
    4. Update Policy: Automatic updates without verification for development tools.
  • Attack Attribution:
    • TTPs consistent with Lazarus Group (APT38): Supply chain attacks, Cobalt Strike usage.
    • Infrastructure overlaps with previous software supply chain campaigns.
    • Motive likely intellectual property theft from development environment.

6. Business Impact:

  • Development Operations: 12 developers offline for 6-8 hours.
  • Project Timelines: Minor delays (1-2 days) for affected development teams.
  • Intellectual Property Risk: HIGH – Development source code potentially accessed.
  • Financial Impact: Approximately $25,000 in productivity loss + investigation costs.
  • Reputational Impact: MEDIUM – May affect customer confidence if disclosed.

7. Remediation & Prevention:

Completed Actions:

  • All compromised hosts cleaned and returned to service.
  • ChartTool software rolled back to secure version across enterprise.
  • Vendor notified and collaborating on security improvements.
  • IOCs distributed to all security tools (EDR, firewall, DNS, SIEM).

Technical Controls Enhanced:

  • Implemented software update verification via hash and signature validation.
  • Deployed Microsoft Defender Application Control for development tools.
  • Created network segmentation policy isolating development workstations.
  • Enhanced CrowdStrike IOA rules for updater process anomalies.

Process Improvements:

  • Established software supply chain security policy.
  • Created incident response playbook for T1195 attacks.
  • Implemented SBOM scanning for all third-party software.
  • Scheduled quarterly supply chain security assessments.

8. Lessons Learned:

  • Detection Gaps: Need earlier detection of updater behavior anomalies.
  • Prevention Gaps: Lack of software integrity verification in update process.
  • Response Gaps: Initial response focused on endpoint vs. enterprise-wide software impact.

9. Resolution Verification:

  • Technical Verification:
    • CrowdStrike shows no malicious processes on affected hosts.
    • Network monitoring confirms no C2 communication.
    • Software inventory confirms all ChartTool installations at version 3.1.9.
  • Process Verification:
    • New software update verification process documented and implemented.
    • Development team trained on supply chain security awareness.
    • Vendor security assessment questionnaire updated.

10. Conclusion:

This supply chain compromise incident involved a sophisticated attack on a third-party software vendor’s update mechanism, leading to the deployment of a backdoor across our development environment. The CrowdStrike detection of anomalous parent-child process relationships enabled rapid identification and containment. While the attack had significant potential impact, early detection and response limited the actual damage to reconnaissance activities.

Closure Rationale: All compromised systems remediated, supply chain security controls enhanced, vendor collaboration established, and monitoring improved for similar attacks. No evidence of persistent threat remains.

Follow-up Actions:

  1. Complete vendor security assessment (ETA: 2 weeks)
  2. Implement software composition analysis for all development tools (ETA: 1 month)
  3. Conduct purple team exercise simulating supply chain attack (ETA: 2 months)

Analyst: [Walter White], Senior SOC Analyst – Threat Hunting Team
Date: 2024-01-26 18:00 EST

Leave a Comment