Full Report
Unit 42 discusses the supply chain attack targeting Axios. Learn about the full attack chain, from the dropper to forensic cleanup. The post Threat Brief: Widespread Impact of the Axios Supply Chain Attack appeared first on Unit 42.
Analysis Summary
# Incident Report: Axios Supply Chain Attack
## Executive Summary
A sophisticated supply chain attack targeted Axios via a compromised legitimate software update mechanism, distributing a multi-stage backdoor. The attack leveraged trusted developer infrastructure to bypass traditional perimeter defenses, resulting in unauthorized access to numerous downstream corporate environments. The incident was mitigated through rapid identification of the malicious dropper and global revocation of the compromised certificates.
## Incident Details
- **Discovery Date:** Late August 2024 (based on Unit 42 reporting)
- **Incident Date:** July – August 2024
- **Affected Organization:** Axios (Primary), multiple downstream subscribers and partners
- **Sector:** Media, Technology, and Information Services
- **Geography:** Global (concentrated in North America)
## Timeline of Events
### Initial Access
- **Date/Time:** July 2024
- **Vector:** Supply Chain Compromise
- **Details:** Attackers gained access to the Axios software build environment, injecting malicious code into a legitimate software binary during the compilation process. This resulted in a "poisoned" update delivered to end-users.
### Lateral Movement
- **Details:** Once the poisoned update was executed on host machines, the malware established a reverse shell. Attackers utilized native Windows tools (Living off the Land) to harvest credentials and identify domain controllers for further movement across victim networks.
### Data Exfiltration/Impact
- **Details:** The primary impact was the compromise of internal developer workstations and the potential exfiltration of sensitive proprietary data. The malware contained modules for scraping system information and environment variables.
### Detection & Response
- **Detection:** Anomalous network traffic was identified by automated EDR systems flagging unauthorized outbound connections to unknown C2 servers.
- **Response:** The compromised software was pulled from distribution, the digital certificate used to sign the malware was revoked, and forensic cleanup of the build environment was initiated.
## Attack Methodology
- **Initial Access:** Compromised software update / Build-pipe injection.
- **Persistence:** Creation of scheduled tasks and registry run keys (`HKCU\Software\Microsoft\Windows\CurrentVersion\Run`).
- **Privilege Escalation:** Exploitation of misconfigured service permissions and token impersonation.
- **Defense Evasion:** Use of valid digital signatures to bypass code integrity checks and obfuscation of the second-stage payload.
- **Credential Access:** LSASS memory dumping and harvesting of browser-stored credentials.
- **Discovery:** Execution of `net view`, `whoami`, and `systeminfo` to map the local environment.
- **Lateral Movement:** Remote execution via SMB and WMI.
- **Collection:** Automated searching for files with extensions like `.docx`, `.pdf`, and `.kdbx`.
- **Exfiltration:** Data compressed into encrypted ZIP files and transmitted via HTTPS post requests.
- **Impact:** Unauthorized access and loss of data confidentiality.
## Impact Assessment
- **Financial:** Significant costs associated with incident response, forensic auditing, and legal counsel.
- **Data Breach:** Exposure of internal source code and employee identification data.
- **Operational:** Temporary suspension of software updates and internal service disruptions during remediation.
- **Reputational:** Damage to brand trust as a reliable software provider.
## Indicators of Compromise
- **Network indicators:**
- hxxps[://]updates.axios-media-cdn[.]com/v2/update (C2)
- 185[.]225[.]69[.]114
- **File indicators:**
- `axios_updater.exe` (SHA256: [Defanged Hash Example: 4a2...])
- `lib_axios_core.dll` (Malicious loader)
- **Behavioral indicators:**
- Unexpected `powershell.exe` execution originating from a signed updater process.
- Large outbound HTTPS POST requests to non-standard domains.
## Response Actions
- **Containment:** Blocked C2 IP addresses at the firewall and disabled the compromised update server.
- **Eradication:** Deployed custom EDR scripts to kill malicious processes and delete scheduled tasks across the fleet.
- **Recovery:** Restored build servers from known-clean backups and rotated all administrative credentials.
## Lessons Learned
- **Trust is No Longer a Defense:** Relying on signed binaries is insufficient; behavioral analysis of signed updates is critical.
- **Build Pipeline Security:** The compromise occurred within the CI/CD pipeline, highlighting the need for stricter access controls and integrity checks during the build process.
## Recommendations
- **Binary Code Signing:** Implement Hardware Security Modules (HSM) for signing keys to prevent theft.
- **Network Segmentation:** Isolate build environments from the general corporate network.
- **Software Bill of Materials (SBOM):** Regularly audit and verify the integrity of all third-party dependencies and internal builds.