 So, yeah, we are here to speak about supply chain attacks. So there will be about two cases we worked on last year. And we will explain you the two cases, the impact and how to, how a lot, finally, of company were compromised due to a supplier. And after we have a small conclusion about our view of the next year, and supply chain attacks. So it's basically just what I explained to you. So my name is Colin, and I'm working at Cisco Talos for close to two years now. I'm a secretive researcher, mainly working on malware analysis, APT, or targeted attacks, even if it's sometimes it's not so advanced. And I'm one of the organizers of BOTCOF conference in France. If you saw the talk of Sebastian this morning, I would please him on the organization and also for watching. And here are my colleagues. Oh, yeah, I do need this. I'll kick off first with that. Yeah, my name is Warren Mercer. I work with Paul in Talos now, around three years. Mostly working around malware, not the malware analysis, reverse engineering, etc. So, yeah, I wrote a conference called B-Site Belfast, which is in Belfast. Anyone else that can visit, please let me know if you want to speak even better. So, yeah, we're going to do this introduction. As Paul mentioned, we're going to talk today about supply chain attacks. And so the one notion that is exploiting trust relationships that you share with the other companies or could be right about an individual business level. We're going to cover two different talks. The first one we're going to talk about is a piece of ransomware called NETYA, also called Notpedya. So, we were one of the first people to discover this bond. I was one of the first people to work on this. Cisco IR, rather fortunately, was on site. So, this is an attack that occurred in Ukraine. It was related to the financial documentation platform called MEDOC, which we'll get into a bit, but that's where it started. So, we got a phone call. Cisco IR got a phone call and basically said, something really bad is happening. Now, that doesn't tell anyone anything. Something really bad is happening, there's no real message in that. So, we actually saw this on Twitter. And it was an actual tweet from the verified Ukrainian government account that said, some of our government agencies, private firms, were hit by a virus, but there's no need to panic. We're putting our utmost attack on the issues. So, this was pretty funny, but when we actually get into it and find out what it was, it was unfortunately not funny at all. So, what we started with was, although something bad is happening from a customer perspective and what was going on, what we started getting information wise was, we were dealing with the tense history of ransomware. Apparently targeting every organization in Ukraine. Every organization can be a bit sort of wishy-washy, but that seemed to be the consensus of the information we were getting. Effectiveness of it was compared to flash-flugging. By that, we made it was happening rapidly, without any real time to respond, if you do anything about it. Currently, the infection and delivery vector were on the road. So, that's great fun to be thrown into. It's like everything's broke, the world is burning, but we don't know how. Can you help us? Okay, through call. So, Cisco IR guys turn up on site, as you say, and anytime there's a Cisco incident response engagement, they will work directly with the TALOS member or the TALOS team. So, Paul and I started looking at some of the stuff. We first tried to figure out what MeDoc is. So, it's a Windows.NET app, a hateful, hateful, hateful program like, but it's developed in .NET. It's a tax processing application used abundantly throughout the world, not only Ukraine. Auto-optif functionality, which is good, because we as security professionals constantly say, please pass your share, if you don't, bad things will happen. Unfortunately, this was the opposite of that, it was the flip of that. Used in large companies, as I mentioned, and has now became the most famous company in Ukraine due to ragging lots of other companies with it. You know what I mean? I'm gonna show you that now, sorry. And so, communication-wise, what do we do? So, as I mentioned, I'll start with a phone call. So, whenever your provider are sending you messages to say, guys, you do a lot of international long-distance calling here, could you please stop? We basically started doing lots of excessive calls. And now I'm all tangled up, sorry. So, AT&T were basically letting our IR go, our IR, guys know you're spending too much money so I'll phone in Ukraine, why you phone in Ukraine. Turns out we actually needed to phone Ukraine. So, we'll start with a timeline perspective on it, it's all start. So, April 2017, April 14th, 2017, MeDoc released an updated platform. Auto-optif functionality, as we mentioned, exists within the application of updates. May the 15th, they released another minor version release. Again, everything updates as you would expect. Unfortunately, this time, there was a backdoor released with it. June 22nd came and there was another version released, again carrying the same backdoor. So, we were quite confident that there was a backdoor in there to the point where we guaranteed it. So, we started having to look back at what was going on from an update perspective and what was being carrying out. So, we started looking at the backdoor that we identified. So, upd.me-doc.com.ua was contacted every two minutes. No, that's the update server for MeDoc, so that's fine, that's legitimate, that makes sense. Well, this backdoor date was have a six-stage command process that it could actually issue and what it could do. So, we had an email retrieval platform that was associated with it, that they're waiting for execution of commands that wanted to be carried out by the attacker. And at the end, we determined that these commands were actually used to help distribute the edit, or not edit if you're not familiar with our terminology. So, the backdoor was simple. In reality, it started off by stealing SMPD credentials, so mail credentials, stored them in the registry, and started using them to actually do some communication back. You'll see, I think it's this word. Yeah, there it is, yeah. So, we started seeing loaded on different commands that I run DLL on Windows boxes. So, that's how we started to identify. We started trying to build the pictures of what's going on. We started with the Ukrainian tax document, as I mentioned, we have to figure out, well, what's it doing, how's it doing it? We basically started following our own timeline at this point. So, the mid-dark timeline that we came up with, came back to April 2017, as I mentioned. That's when we started seeing basically initial releases with backdoor included. June 27th was when it really got bad. That's the day that we got the phone call. I mentioned at the start. So, around 9 a.m. UTC, we see that releases actor starts using stolen credentials to perform that switch user commands on a privileged update server. Very rare. I don't know how many people log or look at things in their batch, but looking for things like switch users on boxes that probably shouldn't be happening on is quite important. So, you look out for things like this. So, from an IR and response perspective, you're looking at what's being logged and where it's being logged to. 10 minutes later. I don't know why it took 10 minutes. It's quite early. Maybe it was time for coughing. I don't know, but it took its time. So, 10 minutes later, he modified some of the server configuration that was being used to proxy the updates. This was proxy to a third party hosting platform at the time. Logs in confirmed all proxy traffic was going through this third party hosted platform. So, the attacker now had the update server proxy on all traffic through his own box. If you don't know if that's bad, I'm going to tell you right now, that's really bad. You no longer have control of your traffic. You no longer have control of your update mechanism. You're in a very bad place. So, we start seeing what was going on then. At this point, as I said, this is a time that we built after the flag was unfortunately not real-time. So, the last one for a proxy connection we see in the logs was around three hours later, 12, 31. Regional server was then restored from a configuration perspective. We see the disconnected IP from a Lafayne IP. I think it'd be very clear here that does not mean this attacker was based in Lafayne. False flag attribution is a very, very different conversation that we can have happily after, but this does not mean this reporter, sorry, this attacker was situated in Lafayne. That is just where the box he was using key up from. Third party host was right at the other box, why he was using a DD0I command. So, this was dead. There was no way we didn't recover any more from that. So, we build a timeline. We don't understand it was not run support at this point. We figured out how it was delivered. We figured out how it was actually perpetuating its commands around infrastructure. So, now we started to look at Netge itself. And the warm capabilities, which is never fun, and an organization that has connection outside of itself. Credentials theme, which again is never fun because the more credentials I have in your environment, the more I can move around your environment, and then run some more. That's not fun, because it's just really annoying because you can't get your own files back and that pisses everyone off. So, propagation started like this. Files are all called perfectseq.dat. Then it contained everything that Netge needed to run from an execution of propagation point of view. With four methods of propagation, we'll step through each one. First one, we go through a command line that I have using Mimicats. Mimicats is an awesome tool. However, if Mimicats is on your network, it probably shouldn't be. So, this is a tool that we maybe keep an eye out for if you do have really good network login, endpoint protection information, et cetera. Mimicats is generally a well-recognized and well-regarded parent testing tool for stealing credentials out of memory and performing pass-the-hash data types. It basically allowed me to move through out of your environment without needing any credentials. We have to take a pass-the-name pipe. We see the malware users all the collected token information to begin propagation. First step we see was some use of eternal glue as well. Five, two, one, let me go back and go over these. I thought I'd take over these slides of policies. It's only a method that this malware used to try and propagate around itself. It's a legitimate, fully supported platform that exists within Windows. PSX is a legitimate remote administration tool that attackers will force it to use. This has been referred to a lot now as living off the land binaries. This is where you can actually, from an attacker's perspective, bring it to an environment that uses everything that's there already. PowerShell is an awesome example of this. PowerShell is included by default with every Windows client. It's amazing for moving about, but WMIP is exactly the same sort of idea. Eternal glue and eternal roommates are both SMB-based vulnerabilities that were released by the shadow brokers and unfortunately, they're very effective. No one passed MS-7010. Well, no, they won't pass. This is the WannaCry issue. People didn't pass on their infrastructure, so this allowed even four months on from WannaCry that Magic could still actually propagate around the environment. So regardless of the propagation method only it uses, it scans the IP something out of the box it's on, looks for vulnerable hosts that it can get into and go where they go. So maybe that's what we've just explained. And then some of the eternal glue modules, or sorry, mimicats modules that we're able to identify. Again, we can look at the code from a deeper point of view. So you look at the code at night and you can see what it's doing. You look at the mimicats GitHub, you can actually directly relate to the modules that are being used. So that's one way that you're able to point out what's going on and what it's trying to do. Mimicats stuff should be crypt being used so we can identify some of the cryptian symmetric key profiles and modules that are being used and functions that are being used. For every month, on a modified platform with DoublePulsar. DoublePulsar is the backdoor that was used and released by Shadow Brothers. If you didn't have MS-17 or Mono applied, basically you could carry out some modified commander response codes that would allow an attacker to have low code execution on your remote host. Now what we get here is a modified DoublePulsar backdoor installed, it drops the perfect dot that and then the whole thing starts over again because it's a worm, it constantly tries to replicate and move around your environment. DoublePulsar modifications that haven't were minimal. So the screen is a bit hard for me to see here so I'm sort of trying to come to it from. But you'll see some of the different aspects, you'll see some of the commands, it's like bite level code. Could use a license. See you French people. Yeah, it's so smart. Yeah, you'll see the same command and center. Each change some of the bite codes that are being used but not enough to actually, sorry, enough to make it a different education. So if you use any heuristic based or signature based scanning technologies, it would miss these because it's looking for that same bite code or all code information. Again, DoublePulsar, all the cases that we can see it's the exact same, he's changed the, if you look at the move AL10H and move AL11, so we incremented one bite on each of the all codes here. Again, enough to trick and fool some heuristic based and signature based platforms. And DoublePulsar modification again, this guy was busy clearly with DoublePulsar. This is some of the standard offsets that existed within the link code, it's available for, unfortunately anyone to download and use and wrap it to their malware. Again, he's changed some of the bite code responses. So NetJet actually used its offset at 0x16, but the standard offset was 0x1e for multiplex ID. So it's the SMB traffic information that's being used. Provocation using PSXEQ. As I mentioned, PSXEQ is a really cool and legitimate windows too. If you're a systems administrator, you've possibly used this. Even if you're not, it's really useful to use in environments where you control and connect the multiple machines. What it did from a perfect C.dat platform was drop it as DLL host.dat, use the stolen tokens as we mentioned that were taken by things like Mimicats and then connect to a remote machine, run this command here, I'll use the mouse because it's easier. Basically execute run DLL32XE running perfect C.dat, the malware as we talked about with an ordnum. So an export of 0.1, which then kicked off the old red dot ransomware. WMI was the exact same. Use the stolen information that we've taken so potential harvesting is key for this piece of malware to actually move from a wormable point of view. Pass the information across the name pipe using WMI-C, which is part of WMI, and then use another process called create the run run DLL32. And execute, you see the colonality, you see what it's doing. Encryption process. No matter what methodology you use to actually get into your infrastructure, so whether you use internal blue, internal man space exact, or WMI, it's trying to do for the escalation of the current user. Once it did that, it created a scheduled task to create a reboot within one hour. Now, we don't really know why it did that because there is no real rationale for it to wait an hour. It could have just rebooted the box straight away. Maybe they wanted to try and get additional information. We don't really do that. There's no problem that exists within that malware that actually creates that useful information that they could have been waiting on. So, yeah, we get a schedule reboot. What happens in that schedule reboot is the malware, they will destroy the MBR on physical drive zero. So the first physical drive that is referenced is that your environment will be physical drive zero. If it has some SED bug-priv or SE shutdown-priv from an API point of view, it will let destroy your MBR and wipe your disk. If it can't, it will destroy the first 10 disk sectors. Go there and encrypt some of the files. Use an RSA-2048, you read a world record from a ransomware perspective. All of your files will be encrypted. You can't boot the box because your MBR is closed. You're pretty much stuck. If you were lucky enough to get the box back up and the attacker actually had done some final log cleanup and he tried to delete any notion of you being able to find MBR further informationally. The pay note that you see once you're rebooted, similar to Pettit, if you're familiar with Pettit, red, sorry, black background with red writing, is going to tell you, come and pay me, there was a money at this address and we'll give you your information back. The other thing about this was, the attacker used a single address from the Bitcoin perspective. So he had no real way to actually determine who paid and who hadn't paid. Very similar to log crack. The attacker then also used a single postio.net email here. So we'll submit one, two, three, four, five, six of postios on it. Within probably an hour, this attack postio would shut that mail box down. So even though if you wanted to pay, which you should never do, we'd never have to keep paying over ransom, but even if you wanted to, you could not have no communication from the actor. Postio had, in my opinion, made the right move. They shut that platform down so the attacker wasn't able to use it or use it anymore. However, it then ran, they're just unable to pay. Jenny won ransomware. Not really, in my opinion, because there's some of the things you just talked about. The single bit point wall makes it pretty much very difficult to track without having people sign addresses to prove where the payment came from, et cetera. Single email address, which was blocked as a message, you can't even talk to anyone. If you're not a member, your MBRs were written. Bad place if you're MBRs were written. Even if your MBR wasn't overwritten, it wiped the first 10 sectors of your desk, so including your desk became a problem. And if you had software AVP.exe running, it also wiped the first 10 disc sectors regardless of privilege. Does anyone know what AVP.exe is? I do, which we have a prize and it simplifies as big as what we do for it. Yes, Kaspersky is right. So this model we're actually looking specifically for Kaspersky, which might make sense with the pay that you create. We don't really know the motivation that was behind that, but if you had AVP.exe running it would be rid of the first 10 sectors. So the model we're basically, let's say I'm done, I'll wipe all your shit away. It was happening from his perspective. So as you probably understood, on this case, the purpose was to compromise the maximum number of machine. But by the way, for people, there is some free space here if you want to sit. You wipe in that machine or post the machine as quickly as possible is what the idea was designed for and what our accent did. From a financial point of view, there was at least, I mean, there were mobile companies that were impacted by this, but there were two companies that reported losses of over $300 million. So $300 million, so that's over half a billion dollars from two companies, and that's only people who talk about it publicly. So mass destruction and a quick way to cause greatest impact. Yeah, yeah. So in this new case, you will see it's the same approach, subvention, compromise, and compromise with a flight of their daggers. But the goal was completely different. In Warren case, the purpose was to compromise the maximum number of machine and generate buzz and media coverage, et cetera. In this case, it's more or less the opposite. So purpose was to compromise the maximum of machine, but after make some filter to limit on several specific really important machine from the attacker's point of view. So it's about cyclinor application. Who doesn't know cyclinor in the room? So everybody knows cyclinor, no? So next question, who already recommend to someone to install cyclinor? Yeah, some people are honest. People have believed, come on. So cyclinor for the only guys that don't know, it is an application used to clean your system, clean your registry, have bit of performance, clean malware, hardware, et cetera like that. So it's controlled from the website, but our numbers are visible, it's used by a billion of people. It's downloaded massively to more or less every language, et cetera. So it's massively used, so it's normal that more or less everybody knows this application. So we received a notification about a weird behavior inside of cyclinor application. So the first thing we do when we receive this kind of stuff, we look at the binary, we saw it signed by Abast. The signature is valid, the binary was not modified, et cetera. Our first reaction is, yeah, maybe our engine have an issue, maybe it's a false positive, something really common. And we start to take a look at it to understand why we have a weird behavior. And we detected, in fact, malicious code inside of the legitimate binary. So the compromised version, the version with malicious code is version 533 and cloud version too. They have two different, they maintain two different versions, but the same, and giant the same binary orders. And if you look at the change log, what I'm going to speak today is a minor bug. And the fun thing is, if you look at the timeline, so here we have the minor bug, and one week after, there's a revoked certificate. Minor bug, revoked certificate, so. So something very interesting from a reversal point of view, I don't know if you reverse a lot of windows binary, but generally the first thing you don't do is reversing runtime. Runtime is called add by compiler to manage its head and stuff like that. So basically you don't write this code, it's automatically add by visual studio for internal behavior. What did this attacker do? He modified runtime in order to jump on malicious code. So basically when you are reversal, you receive a legitimate binary signed at least five megabytes, you don't look for runtime. Trust me. So in this case, the guy chose to work on runtime and really at the beginning of execution of the malware. He simply had a code inside of runtime to jump on malicious code. What is the purpose of the malicious code? It's not so big, it's even a little bit small. The purpose is simply to download an additional stage and execute it. But you do it with a really specific way. So when SICKLINER's legitimate application is run, runtime executed, the malware jump on malicious part and continues a legitimate execution of SICKLINER. So the application works as usual. He makes some techniques to detect if it's a VM or not. First, he makes some slips. He waits, delays. If the delay is modified, so if he waits, I think it's 600 seconds. If it's less, he decided it's a send box. The delay was decreased by send box. It's a common way to work for send box. Other thing, he checked the user privilege because SICKLINER must be run in admin. So if it's not run as admin, it's probably a send box or something not normal. So if it's not executed at admin, it's not execution. And if everything looks fine, he finally decided to contact SEP. And to do so, he has a really, really specific way. He tried to contact an IP, the IP on the slide. And if the IP doesn't reply, it was okay during investigation, the IP didn't work. So if it does not work, it generates a domain based on the month, the current month. And based on this domain, he make DNS request. So DNS request give to IP. He makes some sort of an byte manipulation to generate a third IP. And this final IP will be the C2. So the point is, if you look at binary and you simply work statically, you see an IP, you say, yeah, I'm winner. Now in this case, it's more complicated. It generate domain, but this domain is not really used as CC. This domain is used to generate, to get two IPs and generate the final IP. So it's really specific, it's not something common. Here is some domain generated for each month of last year. And here it's open DNS output to show you you really have activities on this specific DGF. You have a request on this domain during one month. And the month after, it's zero and the new domain was used. So you really can see the activities by month. So what is the purpose of the connection to the CC? The purpose was to register the machine, the compromise system, by giving some information such as install program processes, this kind of information. You will see later exactly what kind of information I sent. If the machine was relevant for CR attackers, he can decide to send a second stage to the machine, to the compromise system. So the second stage is a DLL. He used the same stuff, he used legitimate binary and patch legitimate binary with malicious code. But on a vast case, the binary was signed and the signatures was valid. So the attackers had malicious code before, during or before compilation of binary by a vast has its sign. In this case, it's simply patch binary, but the binary didn't have any signatures. So they don't think they compromise for high-level simultaneously. So in this case, it simply takes a binary, patch them, and use them like that. Contrary to the last. And yeah, he stored a patch binary, which is three months. It's not necessarily the most important. And he used exactly the same trick. He decided to work on a runtime. So he patched runtime of the binary to execute malicious code. So basically what a reversal don't really take time to look at it. You can have more information about this thing. Simply, there is a reversal in the room. He uses small tricks, really different, and it can make you crazy. Here on the left, you have IDAPRO capture, the graph view of IDAPRO. And if you look at the end, the function finished by a pop, and it's really unusual. If you reverse a lot of binary, it never finished by pop. But if you switch in TextView, you can see in fact it finished by a gem. So he used a feature of IDAPRO. IDAPRO used some specific section to identify the beginning and the end of a specific function, typically for runtime. And the guy modified to say to IDAPRO the section finished one byte before. And IDAPRO in graph view, forget to display to you the gem. But if you work in TextView, you can see the gem without an issue. We are safe. RADAPRO is not impacted by this bug. Sadly, nobody use RADAPRO. So, fine. Yeah, the purpose of this second stage was more or less as the same as the previous one but not an additional payload. But instead of using DNS getIP to generate an IP, he performed two query on two legitimate websites, GitHub and WordPress. Get information from these two websites, make some byte manipulation to generate a new IP. So the approach is the same, but instead of using DNS, it use two official legitimate websites. During our investigation, the page, these two page and these two specific search on this website didn't give us any results. So we were not able to go on the next stage and on the next binary, but you can look on Google, I asked make some research and maybe found the next stage. But we didn't, so I won't speak about it. Yeah, so on the stage one, there is a custom by 64 function to encode and decode string. And I think it's Casper's key or Intesa's. I don't remember. Casper's key, yeah. Identify that this specific custom by 64 function was implemented exactly with the same way on a group named APT17 or group 72 for us. So what is this group? You can make some Google search about it but it's alleged to be a Chinese hacker. So be careful because similarities, sometimes it works, sometimes it doesn't work. You must be really careful based attribution on a few opcodes is not always a good idea. But anyway, it's just a fact. So that's for the malware part. And something really interesting, maybe the most interesting part, we had access to a command line control and we were able to make an investigation on the database of this C2 and the information that people compromised, et cetera. So it's really easy. It's simply a PHP website of no rocket science with a mainstream database. Something that is pretty clever for my point of view. C2ner modifies the binary user-specific requests like post and stuff like that to connect to C2. And if you don't contact the server with exactly the good way, if you perform get instead of post, if you do this kind of thing, it will automatically redirect you to perform the company that creates C2ner. So imagine you have suspicion, you are analyzing this stuff, you find a weird connection to this weird domain. If you go on your browsers, you put the domain, you will redirect to Peripher, the developers of C2ner. So you will say, oh yeah, it's Peripher website, it's not malicious. So it's clever. Here is the configuration file. So you have username for the database, the password, the time zone. So obviously I can put PRC if I want on my server. PRC is the Chinese time zone. And you've got the DLNA is the base of the second stage. So the setup is the second stage pushed on machines that interest attackers. Here is the database creation and request. If you are good in SQL injection, you could probably see in SQL injection. And here is a shell code to execute it on a machine to download the second stage. Okay, the most interesting part is this code. So when a machine is compromised with a stage one, so a billion of machine developers potentially, the machine send instant application, running process, et cetera, but the machine send it's IP, and the machine send the domain from Active Directory point of view, the domain where the machine is behind. And the attackers implement two filters based on this information. So the first filter is based on domain. So basically if the machine has this specific domain, I send the stage two. And the second filter buys on IP. If the compromised machine has this IP, I send the specific stage two. The IP was not used on this server. But the domain was used. We found a domain on the configuration and this domain is meshed organization company entities that interest the specific actor. Here is the list of the domain that the attacker was looking for. So if SQL is installed on the machine and the machine is buying to one of this domain, the attacker specifically automatically sends the stage two. See your machine is not buying on one of this domain. Your machine was compromised by stage one. It makes some request every day to the C2 to see if a second stage is ready for it. But that's all. You are compromised, but you don't download additional PILO. If you are one of these domain, you will receive additional PILO. So as you can see, it's mainly IT company. Yeah, it's IT company. So this attacker, this guy, is mainly interested by IT company. He compromised really a lot of machine, but after he did a small filter on a really specific target. So if you look at the database, you have three tables. The table named server table contained all the machine compromised by stage one. So all machine was seeking the, this specification was installed. The okay table was the table where you have a machine that received the stage two to basically machine buying to this domain and get this present. I did some statistics about the machine, the number, et cetera, ZOS, location, blah, blah, blah. But keep in mind it's only four days of data because the attackers had some issues, because life is hard. And four days before the acquisition, he lost his machine due to five system full. So he had to reinstall everything and start the DB and that's why we only have four days. I think he was a victim of his success. He didn't expect so many data, so many compromised machine and finally didn't pay enough and this food. And it's only one server on the five we identified. We did not get the success through the five servers. The table, the server table. So yeah, it's basically what I said to you and I did the machine IP address, Windows version, process list, is it admin, host name, domain name, domain name is from Active Directory point of view. Mac address, software, blah, blah, blah. Here is an example of data. You can guess it's a Chinese machine and you have a list of application running process, et cetera. You have the pocket table. This one is more interesting because it contains all machine that receives the second stage. So all machine that the attackers is really interesting. And at this exact time where we have the database, we know that he sent the second stage and the control of 25 machine. So it looks like a lot, but I know it's not 25, it's a little bit less. But anyway, it's not a lot compared to the global machine you will see. Just after. But a little bit more than 20 machine receives the second stage. So if we look from that statistic point of view, I count the number of the machine in the database and we are more than 80, 800,000 systems. So the guy had access to almost one million machine and he decided to compromise only 20, a little bit more than 20. So he has a really, really big but net of machine at this time in four days. At the point, it's hard to identify. Sickner is used by a lot of individual users at home. And my goal was to identify company, organization, et cetera, and to separate this kind of profile and users. I don't have a magic way to do it. So the technique I use, I simply decided to check if the machine is buying to a domain. I estimate that at home you don't have domain. And if I use this techniques, I can count how many machine are buying to domain. So how many machine I estimate it's corporate machine. And in this case is 41,000 machine. So this is from my point of view, it's a short, 100% more or less. It's a number of corporate machine compromised by this guy with stage one and potentially stage two later if he wants. I make some other query and typically I would like to know if some domain had a lot of compromised machine. So in this case, you have the output of the count by domain. So typically a specific domain, a specific organization entity company has 960 compromised machine is organization by not a specific domain. And after 700, et cetera. So some organizations have a lot of work because they have a lot of compromised machine with this signal version installed during our investigation. I make some statistic about operating system but it's simply a projection of life. You have a lot of Windows 7, you have some Windows 10 and Windows XP. So it's simply to represent life, I think. But with domain, we can make some more offense requests. Typically here I was looking for domaincontaining.gov and I've got 500 machine from domaincontaining.gov. Or same thing with bank 51. So this machine have a bind on a domain named gulf something or back something. Something a little bit more dangerous, I check on install software on the machine. And the first query I was looking for if some machine have PLC simulator installed. And I found 200 machine compromised by stage one with a PLC simulator. So PLC is for Scala system, industrial stuff. And in this case, it's simulator. So it's probably developers on this kind of profile that were compromised by C-Clinux. Another one, the second one is I was looking for machine that have Modbus install on them. And I got more than 200 machine with Modbus application installed. And Modbus protocol supported by CLS means that people that work more or less on this kind of domain PLC or industrial stuff. And the last one is probably the worst query. The first one was pay PLC simulator, so to simulate and developed. And the last one is monitoring. So I got night machine compromised with application used to monitor PLC, to monitor Scala system, industrial stuff, et cetera. And in this case, the attacker had access to nine machine with PLC monitoring system installed. Luckily, on our backup list, all this machine only received stage one. So the attackers was not interested by this machine at this time. It was here, maybe for later, maybe we never used it, but it was here. Yeah, this morning I decided to make some Canadian statistics, just for you, exclusively. So I identified close to 14,000 infected system with IP based in Canada, all Canada. We make some search on active directory domain and 300 domain contain.ca on the domain. Globally, it's a represent 1.6% of infection, but the difference between each is really small. I think the first one represent 3%. So it's free 2.9, 2.8, et cetera. Everybody is really close. And it's like this most popular country in the city infrastructure. So a lot of machine. So, confusion. The two case are completely different on the purpose. On warrant case, the purpose, as I said, was to compromise the maximum of machine and go destroy everything, basically. And in my case, secret case, the purpose was to compromise the maximum of machine, but to send the period, the final period on really, really specific targets. You can see the list, it's really, really specific. But if we didn't identify this behavior inside of a secret application, the guy could keep this button during years and choose target, change the profile, et cetera. It's really well designed and you can easily change everything on the map. Speaking more globally about space chain attack, we did more than the same talk previously and we had the first question, how we can be protected about space chain attack. And I think we'll have the same question. So our answer, it's really, really complicated and we don't have any answer. Typically, if we look at Nihakia case, this kind of thing, if you have a really separate network without, not a flat network where everything in the same place, your major application will be compromised, will be encrypted, but malware won't be able to propagate inside of your network. So if you have, if you limit your network on really specific business, with few machine, et cetera, and you have a network, a correct network design, you can mitigate or limit the impact of this kind of compromise. For Sikliner, it's completely different. You don't have propagation and it's one-shot install. And in this case, it's more a care of what you install. It looks stupid, but it's a fact. And it's not cause it's a freeware. It's not cause it's massively used. It's not cause it's, you have a good reputation that you can install it everywhere like that just because. And in this case, I think the Sikliner case was more, more complicated to identify because the binary sign that you can trust provider, you could have a contract. I think they have a pro service and they sell the application, et cetera. And in this case, it's really, really complicated to identify. And to be honest, I don't have strict rules to help you in supply chain attack. And it's what is very scary because you trust your provider. I'm pretty sure you are not able to count the number of provider you have. Half a hundred thousand from different provider. And for us, it's really, really complicated. It would be more complicated with time when we have one more provider. And the infrastructure is one more complex. And this kind of stuff can stay during years cause simply if it's, this application is really used by a lot of people. So we can be lucky and a researcher will find it at the end. But if it's a provider more exclusive with a specific application and only a few customers, it could take a lot of time before security researcher take time to look at it and find something. Yeah, when you're building a bar method of rate of eight hundred thousand posts in four days. I mean, if that guy, say that individual, personal group, malicious actor would want to call him out of chains, what they wanted to do with that partner. I mean, four days, eight hundred thousand partner. It's more, it is more key that it's important. It's like Neckers, which is one of the biggest, the most highly regarded email spam platforms in the world. Really good to know what everybody wanted about it. They had wanted to mine XMR cryptocurrency, it'd be a millionaire. As Paul said, we found it, but it doesn't necessarily mean someone else would've. We found it looking at, we would do something to test on a new engine platform, which is how we identified it. How do we not be doing that? Then we potentially wouldn't have found it because obviously C-Cleaner hadn't found it at the time. How that came to fruition was C-Cleaner had been bought and worked well. At last, they purchased a company called Periform. Unfortunately, they had acquired a breach as a service at that point, which is not good. And that's something you also need to be aware of as well. If you're working acquisition type stuff, if you are a trusted supplier at the end of the day, you need to be sure that the people you're bringing in your network or in your infrastructure is someone you trust. That's very hard to do. As Paul said, we definitely don't have the right answer. So don't ask us, we will do what they tell you. But yeah, as the last slide says, we felt that disturbance in the supply chain. So we hope you enjoyed it. If you have any questions, please ask.