Most chip companies show signs of active compromise

[justpoet]

Summary

In a recent study "Semiconductors, the Supply Chain, and Cyber Security 2021" done by BlueVoyant, the majority of chip companies in the world show signs of already being hacked, thanks to monitoring malicious traffic coming out of them.  There goes the neighborhood.

 

Quotes

Quote

Nearly all (94%) of the companies studied had open, at-risk ports, while a quarter (24%) had open RDP ports, one of the top vectors for ransomware. A similar number had open authentication ports (24%) and open datastore ports (18%) were also commonplace.  What’s more, 88% of the companies demonstrated evidence of high-severity vulnerabilities which could allow attackers to gain a foothold into systems.

...

over three-quarters (76%) of chip companies studied presented evidence of outbound traffic to known malicious infrastructure. This indicates that the organizations in question may already have been compromised.

 

My thoughts

This is what happens when "we're too big, they won't go after us" and "the intern set it up 5 years ago" and "not my job" and "security isn't profitable" happen.  Take a lesson from this if you've got a company or an IT department asking for security funding and support that, or make sure companies you're associated with have a good and security minded IT consultant company that does active patches, backups, mitigations, etc.  

 

I have hope that this sounds worse than it is, since I know at least a couple of these companies are of a size where they may run internal honey pots.  But any way you look at it, this is pretty damning, and looks really bad for trusting the security of hardware for the next couple generations, or at least expecting massive IP stealing and copying.  If you think your favorite company isn't included...it probably is.  The industry is small, even if the players are large.

 

Quote

The security services firm appraised the security posture of the 17 most prominent players in one of the globe’s most strategically important supply chains. These included companies in Asia, Europe and the US such as “fabless” chip designers, semiconductor software designers, manufacturers of equipment that fabricates semiconductors, foundries, and integrated device manufacturers (IDMs).

 

Sources

https://www.bluevoyant.com/resources/bluevoyant-review-semiconductors-the-supply-chain-and-cybersecurity-2021/

https://www.infosecurity-magazine.com/news/most-global-chip-companies-signs/

https://theopensecurity.com/article/778-most-global-chip-companies-show-signs-of-compromise/

[Lurick]

5 minutes ago, James Evens said:

solarwind123?

Solarwinds!23 now

[Doobeedoo]

Well damn.

[TargetDron3]

These companies aren't being set up to distribute malware. They are having technical secrets stolen by the Chinese. 

[Rauten]

On 4/3/2021 at 9:04 PM, James Evens said:

solarwind123?

...F**k.

brb

[Tellos]

Sadly most companies outsource IT now to overseas groups to cut costs. So their physical IT departments are much smaller. Rely on more external systems not in their control. Azure or AWS are common. 

[Bombastinator]

That sounds really scary.  The question is, is it an advertising move or an actual problem?

[jagdtigger]

8 hours ago, Bombastinator said:

is it an advertising move or an actual problem?

When a company exposes services that should not be exposed to the internet (telnet, rdp, smb, printers, etc) thats pretty much a red flag and that company should be avoided at all costs.

Edited April 5, 2021 by jagdtigger
darned typos

[wanderingfool2]

2 hours ago, Bombastinator said:

That sounds really scary.  The question is, is it an advertising move or an actual problem?

I was thinking the same thing.  Since they chose just 17 companies it seems like maybe they were cherry picking their sample data (like maybe they were targeting ones that they knew might have an issue).

 

This also reminds me of the time when I was in charge of keeping PCI compliance...the results would always return back as "[potential hosting of website by a Windows 2000 Server]".  The thing was, it was a windows server 2012 r2, and later a fresh install of Windows Server 2016.  Just the way the company scanned, and the way the server was configured it always got triggered as an older server (if I recall correctly the server didn't respond with standard information, so they took it to be a non new system)

[Sarra]

22 hours ago, TargetDron3 said:

These companies aren't being set up to distribute malware. They are having technical secrets stolen by the Chinese. 

Aren't most of the chips already made in China? Why would they have to hack anything, the government could just go in and take whatever they want.

[Bombastinator]

33 minutes ago, wanderingfool2 said:

I was thinking the same thing.  Since they chose just 17 companies it seems like maybe they were cherry picking their sample data (like maybe they were targeting ones that they knew might have an issue).

 

This also reminds me of the time when I was in charge of keeping PCI compliance...the results would always return back as "[potential hosting of website by a Windows 2000 Server]".  The thing was, it was a windows server 2012 r2, and later a fresh install of Windows Server 2016.  Just the way the company scanned, and the way the server was configured it always got triggered as an older server (if I recall correctly the server didn't respond with standard information, so they took it to be a non new system)

So an argument for a real look but not actually definitive of a problem.

[Bombastinator]

47 minutes ago, Sarra said:

Aren't most of the chips already made in China? Why would they have to hack anything, the government could just go in and take whatever they want.

At the end of the day a big company with millions in commitments is a big company with millions in commitments.  They’re just as potentially susceptible to a profitable ransomware attack as any other company.  There is additional issue though because there’s zero play left in the chip supply chain so even a minor glitch could cause big problems for everyone.  People could even die because of it.  

[StDragon]

1 hour ago, Sarra said:

Aren't most of the chips already made in China? Why would they have to hack anything, the government could just go in and take whatever they want.

China doesn't fab any high-tech chips within your sphere of concern (western consumer market). They do however receive all sorts of chips (ICs) for assembly into consumer electronics.

[justpoet]

6 hours ago, wanderingfool2 said:

I was thinking the same thing.  Since they chose just 17 companies it seems like maybe they were cherry picking their sample data (like maybe they were targeting ones that they knew might have an issue).

That is a good question to ask, but the answer is sadly not cherry picking.  There just aren't that many companies that do chip fab and design.  Intel, AMD, Apple, TSMC, Samsung, nVidia...that'll be your top 6.  Unfortunately the report itself is behind a wall, but I'd be curious if ARM and Power were listed, along with VIA for another x86 company.  It would get even more interesting with things like Broadcom.  I think the key here though is that they chose "the 17 most prominent players" (according to the report), which ensures this isn't just cherry picking random companies you haven't heard of.

[arkscout]

Quote

Nearly all (94%) of the companies studied had open, at-risk ports, while a quarter (24%) had open RDP ports, one of the top vectors for ransomware. A similar number had open authentication ports (24%) and open datastore ports (18%) were also commonplace.  What’s more, 88% of the companies demonstrated evidence of high-severity vulnerabilities which could allow attackers to gain a foothold into systems.

 

over three-quarters (76%) of chip companies studied presented evidence of outbound traffic to known malicious infrastructure. This indicates that the organizations in question may already have been compromised.
 

 

What This Really, Probably, and With Malice, Means:

While this is pretty astonishing to most, this is actually normal across all industry. Definitely not OK, but pretty standard. While RDP and other ports are definite targets as there are many vulnerabilities linked to almost any protocol on any port. I need to look through this whole article, but my first thoughts here is to tell everyone to slow down and take a breath. Open ports, even unpatched vulnerability does NOT mean active compromise. If left open long enough, there will most definitely at least be indexing/scanning and it will be noticed, but that doesn't mean anything open is hacked. There are a lot of steps AFTER finding an open port one has to go through to even get to anything worth while. Most of these companies with open ports like this are paying for very expensive teams that either know full well they are open and are monitoring, don't know and will know before it's terrible, or... don't know and are about to have a really bad day. Anyway... in secuirty there is not always fire where there is smoke.

That said, this is a great conversation and the pressure needs to be put on companies to strengthen security. It is too easy to lock ports down, employ strong vulnerability/patch management, and enforce secure coding practice... but that ease costs a lot of money they might not have, or don't want to spend on something that "generates no revenue".

So hey. Check out Shodan or Greynoise if you are really interested. My go to news source is the guys over at Security Affairs, they do great work.

[jagdtigger]

1 hour ago, arkscout said:

paying for very expensive teams

Sadly expensive doesnt mean a thing, any IT pro who earned his/her paygrade would only expose the absolute minimum amount of services (company's website if hosted on prem, VPN if needed, and thats about it) and lock the rest behind a VPN if external access to them is absolutely needed. Company's with exposed rdp and the like have a dangerously incompetent IT, its a catastrophe waiting to happen.

Edited April 6, 2021 by jagdtigger

[arkscout]

17 minutes ago, jagdtigger said:

Sadly expensive doesnt mean a thing, any IT pro who earned his/her paygrade would only expose the absolute minimum amount of services (company's website if hosted on prem, VPN if needed, and thats about it) and lock the rest behind a VPN if external access to them is absolutely needed. Company's with exposed rdp and the like have a dangerously incompetent IT, its a catastrophe waiting to happen.

I think what you're missing is scale. It's ridiculous to call a team "dangerously incompetent" if they discover open ports, or other vulnerable services exposing their network. That's a good thing. People make mistakes, that's why it's good to have a team that understands that and covers. IT is a hugely generalized term and it serves no good to think a Sysadmin a security expert or a security analyst a skilled system administrator. Teams... It's about collaboration at this scale. There are no simple solutions. Attackers are sometimes just as well funded and skilled, if not more, than the people building, deploying, and maintaining these products.

 

It's dangerously incompetent to think in such absolute terms. Especially one like VPN

 

Edited April 6, 2021 by arkscout
words are hard

[jagdtigger]

5 minutes ago, arkscout said:

It's ridiculous to call a team "dangerously incompetent" if they discover open ports, or other vulnerable services exposing their network.

Cant decide if you are mocking me or you are serious.....

 

[wanderingfool2]

17 hours ago, justpoet said:

That is a good question to ask, but the answer is sadly not cherry picking.  There just aren't that many companies that do chip fab and design.  Intel, AMD, Apple, TSMC, Samsung, nVidia...that'll be your top 6.  Unfortunately the report itself is behind a wall, but I'd be curious if ARM and Power were listed, along with VIA for another x86 company.  It would get even more interesting with things like Broadcom.  I think the key here though is that they chose "the 17 most prominent players" (according to the report), which ensures this isn't just cherry picking random companies you haven't heard of.

I'd argue that if it were really well-known companies it would have already been publicized and there would have been already the announcement of major hacks.

 

While they do use the words "the 17 most prominent players", the list they chose from seems to imply to me that they might have set a very large net.  I derive this from the following "such as “fabless” chip designers, semiconductor software designers, manufacturers of equipment that fabricates semiconductors, foundries, and integrated device manufacturers (IDMs)".  The list already includes quite a bit leeway for companies to choose from, but given they say such as it could mean that they chose a more broad sense.

 

Other questions would be, how did they actually test/determine potential vulnerabilities.  I bet most major corporations have one or two IP addresses registered to them that have devices that are vulnerable (but little to contain that would compromise the company).  An example being, a camera system that was setup by a third party vendor without a firewall and RDP enabled but still needed a static IP (and the location has a spare static IP that was given to it)...it was only none-essential cameras in a public area but had it been scanned it would show up as having RDP port open.  Doesn't really put too much of a risk to the company (although in this case, it was fixed).

 

Unless they actually go into more detail about what was discovered, or whether they even found honeypots.

[Tellos]

On 4/6/2021 at 8:40 PM, huilun02 said:

No hard evidence but lets blame the Chinese rice farmers yet again for infiltrating our high tech security.

 

Yes very good

 

The Chinese government has a capable military and has been proven to hack US companies before to steal intellectual property. So its not blaming rice farmers its blaming the government which has proven over and over it wants the secrets and IP of other states to bolster itself. Its fairly openly stated in many ways it rather not have foreigners at all ever but be the most advanced state ever and have power. It wants it all. Its making a concerted effort now to push foreign workers and such OUT of china by delaying passport/visa extensions so they get deported. Paperwork that once took maybe weeks takes months now. new hoops are added and stricter regulations. Also why they cap how much moeny can be sent by private citizens out of country for any reason.

[Bombastinator]

China developed nuclear weapons only shortly after russia did.  It is the only other country atm with what is considered a second generation stealth fighter aircraft.  Partially but not entirely copied from the raptor.   A Chinese National recently invented a hydrocarbonless jet engine which is something people the US are trying to duplicate.  There’ a reason they’re one of only a few permanent members of the UN Security Council.  While it is true there are rice farmers in the Chinese interior who have never seen a real motorcycle, Dismissing China as “A bunch of rice farmers” is IMHO a mistake.  Just because there are places in China that approximate the Edwardian era doesn’t mean the entire country does. 

[Tellos]

3 hours ago, Bombastinator said:

China developed nuclear weapons only shortly after russia did.  It is the only other country atm with what is considered a second generation stealth fighter aircraft.  Partially but not entirely copied from the raptor.   A Chinese National recently invented a hydrocarbonless jet engine which is something people the US are trying to duplicate.  There’ a reason they’re one of only a few permanent members of the UN Security Council.  While it is true there are rice farmers in the Chinese interior who have never seen a real motorcycle, Dismissing China as “A bunch of rice farmers” is IMHO a mistake.  Just because there are places in China that approximate the Edwardian era doesn’t mean the entire country does. 

Its a mistake made by those who keep thinking China is some backwater country and do not realize it is a very big global player. We need to respect what China CAN do and has done. Not pretend like their still some farming community.

[Letgomyleghoe]

On 4/5/2021 at 10:14 PM, arkscout said:

 

What This Really, Probably, and With Malice, Means:

While this is pretty astonishing to most, this is actually normal across all industry. Definitely not OK, but pretty standard. While RDP and other ports are definite targets as there are many vulnerabilities linked to almost any protocol on any port. I need to look through this whole article, but my first thoughts here is to tell everyone to slow down and take a breath. Open ports, even unpatched vulnerability does NOT mean active compromise. If left open long enough, there will most definitely at least be indexing/scanning and it will be noticed, but that doesn't mean anything open is hacked. There are a lot of steps AFTER finding an open port one has to go through to even get to anything worth while. Most of these companies with open ports like this are paying for very expensive teams that either know full well they are open and are monitoring, don't know and will know before it's terrible, or... don't know and are about to have a really bad day. Anyway... in secuirty there is not always fire where there is smoke.

That said, this is a great conversation and the pressure needs to be put on companies to strengthen security. It is too easy to lock ports down, employ strong vulnerability/patch management, and enforce secure coding practice... but that ease costs a lot of money they might not have, or don't want to spend on something that "generates no revenue".

So hey. Check out Shodan or Greynoise if you are really interested. My go to news source is the guys over at Security Affairs, they do great work.

watch it just be a bunch of tcpwrapped "open ports'

[Bombastinator]

48 minutes ago, Tellos said:

Its a mistake made by those who keep thinking China is some backwater country and do not realize it is a very big global player. We need to respect what China CAN do and has done. Not pretend like their still some farming community.

Parts of it still are.  Get rural enough and you can go pretty far back in specific technologies.  Not all of them though, and a lot of it is simply not. 

[Tellos]

3 minutes ago, Bombastinator said:

Parts of it still are.  Get rural enough and you can go pretty far back in specific technologies.  Not all of them though, and a lot of it is simply not. 

Parts yes but not the government and not the number of larger heavily populated cities. Parts of the US are super rural. Again this is syaing because parts of a state are not technological hubs none of it is.