New Video from @BlackHatOfficialYT: In-Depth Research on Drone Supply Chain Attacks

In this video, Vicki Sue and Philip Chen, threat researchers at Trend Micro, present an in-depth study on drone supply chain attacks titled "Drone Supply Chain Grand Siege: From Initial Breaches to Long-Term Espionage on High Value Targets." The presentation is divided into six chapters: introduction and context, campaign analysis, malware analysis, attribution, and conclusions.

The speakers begin by explaining the importance of the drone industry, particularly for military and security applications. They highlight that drones are essential for defense, surveillance, disaster response, and improving operational security and efficiency. Additionally, an alliance of 50 members in the drone supply chain in Taiwan aims to produce 15,000 drones per month by 2028, with government support, making it a high-value target for attackers.

The research focuses on two main campaigns: "Campaign Tydrone" and "Campaign Venom." The former primarily targets companies in Taiwan and South Korea, including satellite, drone, and military service providers. The latter targets various industries, including healthcare, technology, and software services. The attackers use custom and open-source tools to mask their traces and compromise systems.

The speakers explain the two types of supply chain attacks: the classic attack, which involves injecting malicious code or replacing software updates, and the general attack, which uses trusted channels to distribute malware. They detail the tools used, such as CX Client, Client End, and Screen Cap, as well as persistence and data collection techniques.

Vicki Sue then presents a detailed analysis of the malware used, including BF FRPC, a modified reverse proxy tool, and the two versions of CX Client. She explains the fiber techniques used to avoid detection and anti-analysis methods. The malware supports multiple connection methods and can receive plugins from the C2 to extend its functionality.

The attribution of the attacks suggests that the attackers are likely Chinese speakers, based on the file compilation times and C2 communication logs. The TTPs and the scope of the targets are similar to those of another well-known attack group, Earth Summit.

The conclusions of the presentation emphasize the importance of long-term monitoring of Earth Summit's activities to understand their objectives. The attackers start with common tools to test the waters and then move to more advanced tools to target specific victims. IOCs (Indicators of Compromise) are provided to aid in detection and prevention.

To apply this information in real-world scenarios, companies must be vigilant and implement robust security measures to protect their supply chains from such attacks. Understanding the techniques and tools used by attackers can help better defend against and quickly respond to incidents.