Last week we released the B1-66ER Initial Access adversary chain and I wanted to go a bit more in depth about it.
First, let's go over the chain of 3 TTPs and then I have some questions with detailed answers to help fill in the gaps.
Stage SciPy for Initial Access
This takes the current version of SciPy as of last week. Then we do a build of the SciPy package (on x86-64) prior to modifying the setup.py file. Once the build is completed, we modify the setup.py to execute our agent when SciPy is installed by the user and then hide our Schism agent within the SciPy directory.
Stage Schism Agent in SciPy
This performs a file modification to the Schism agent to communicate back to Operator. An adversary would just hardcode this in.
Install SciPy and Side Load Schism
This will perform the install of SciPy that will then covertly execute the Schism agent. A couple of things here to keep in mind with this specific TTP: One, the Schism agent executes early in the SciPy installation process, which in doing quite a few tests with this, means you can highly likely execute Schism even if the SciPy installation fails. Two, in looking at the TTP script, you will see I redirected the installation console log to dev/null. I primarily did this because if the installation gets stuck or takes a while, you must wait till it finishes to continue doing anything with your orchestration agent. SciPy does require a few dependencies to install from source including numpy (SciPy and numpy go hand in hand), BLAS/LAPACK, gcc, gfortran, python3-dev, cython, pythran, and pybind11. Three, I used the flag ‘user’ during the installation process so that it doesn’t require sudo privileges.
I'm looking within the next B1-66ER Adversary release to include a Docker file to make it easier to perform things like installing SciPy without the need to worry about software dependencies, providing good output data for the Discovery chain, and helping with future chains as we release them. I basically want to provide a solution so that you can test the B1-66ER Adversary chains in your environment without needing to do the dirty work on your side. You can put this Docker container wherever within your environment and test your detection capabilities against these attacks.
What is SciPy and why choose SciPy specifically for this attack?
SciPy is a Python package that has a collection of mathematical algorithms and functions that expand the Numpy package. It also makes it easier to perform visualization of data. (You can find out more about SciPy here: https://docs.scipy.org/doc/scipy/reference/tutorial/general.html)
SciPy is a great package to use in this attack because it's widely used within ML/DL environments and is a large package where not only does it take a long time to build and install on lower tier hardware it also makes it easier to hide new/modified data.
What is the attack scenario in this case?
In a real scenario, I was performing some DevSecOps work helping a project that needed an environment for inference training. The hardware being used for inference was an Nvidia Jetson which has a great GPU for its size, but a terribly slow ARM CPU in comparison. Many libraries used within ML/DL are a pain overall to install and Nvidia helps with the process by providing Jetson based Docker containers. These containers - at least when I was doing this project - did not provide SciPy for the Jetson. This had me stuck with a 2+ hour install and drove me to the interwebs to figure out if this was normal and whether I could do it quicker. To my enjoyment, not only was this an issue for other people but, the way people were getting around it was either directing them to a pre-built package or a modified Docker container with it already installed.
This attack preys on the unknowing user who just wants to save time. This is in an environment where the user will likely have to wait hours already to get meaningful data back, so saving time in other places becomes valuable.
So how does this fit into the B1-66ER Adversary?
At the time of this writing, we have released both B1-66ER Discovery and Initial Access. When performing this adversary chain, you should start with the Initial Access chain and then immediately start the Discovery chain. Tying the initial access agent to the SciPy package, in this example, means you will likely be on a machine that is performing, at a minimum, scientific mathematics, but also possibly hosting our target ML/DL environments. Utilizing the Discovery chain, this will inform the attacker on if this machine is in fact a target and if it's worthy of either pivoting or elevating to a more capable/exclusive agent. These two chains provide the building blocks of the fundamental B1-66ER attack. SciPy is only the initial vessel for getting started to eventually get to our main goal with B1-66ER in demonstrating an Adversarial AI attack.