Introduction

Attackers are well known to install malicious software, or malware, onto compromised systems during a cyberattack. But what many may not know is that this is not the first opportunity attackers may have to sneak malware onto a machine. The supply chain that provides systems for organizations is also at risk of attack. 

This article will detail the supply chain compromise attack technique enumerated in the MITRE ATT&CK matrix. We will explore the MITRE ATT&CK matrix, the supply chain compromise attack technique, the danger of this attack technique and some real-world examples of supply chain compromise, as well as how to mitigate and detect it. 


What is MITRE ATT&CK?

MITRE is a not-for-profit corporation dedicated to solving problems for a safer world. Beginning as a systems engineering company in 1958, MITRE has added new technical and organization capabilities to its knowledge base, including cybersecurity.

To this end, MITRE released the MITRE ATT&CK list as a globally accessible knowledge base of adversary techniques and tactics based upon real-world observations. This information can then be used as the basis for the foundation of the development of threat models and methodologies for cybersecurity product/service community, the private sector and government use. 

More information on the MITRE ATT&CK matrix can be found here.

What is supply chain compromise?

Supply chain compromise refers to the manipulation of products or delivery mechanisms for the purpose of information or system compromise before the final consumer receives said products. This compromise can negatively impact any hardware or software component and even update channels. Widely-used open-source products used by many applications are included in the supply chain, making them popular targets for attackers.

This attack technique may be focused on a few specific victims or distributed to a wide array of targets. Moreover, victims may range from individuals to small or large enterprises.

Supply chain stages

The supply chain used by many organizations is a multi-stage process that begins at time of product development and ends when it lands in the hands of the end consumer. Below is a list of just some of the ways these stages may be compromised:

  • Development tool manipulation
  • Development environment manipulation
  • Both public and private source code repository manipulation
  • Open-source dependency source code manipulation
  • Software update and distribution mechanisms manipulation
  • Infected or compromised system images, including cases of in-factory infected removable media
  • Swapping legitimate software with modified (or infected) versions of the software
  • Leveraging download servers used to distribute legitimate software to distribute modified software instead
  • Sales of modified software or other products to legitimate distributors
  • Interception of product shipments

The danger of supply chain compromise

You may be thinking that any kind of product may fall victim to supply chain compromise, not just system and software. So what’s the big deal? 

The trouble with this attack technique is that, much like abuse of system features, this technique takes advantage of an inherent characteristic present in every system and software supply chain — trust. This trust relationship is essential for supply chains. Often, the end customer blindly trusts that the supply chain is free of compromise. This is a vulnerability and attackers know it. 

Real-world examples of supply chain compromise

There are many examples of the supply chain compromise attack technique. Below are some notable examples.

NotPetya

This malware was introduced in Ukraine as a backdoor for tax accounting software M.E.Doc in 2017. In this cyberattack, cybercriminals infected software that a trusted software vendor used in high-priority environments. This provides a good example of how abuse of trusted relationships is at the heart of supply chain compromise.

CCBackdoor

In 2017, cybercriminals targeted the popular freeware tool CCleaner to distribute their malware through its installation file. They accomplished this by infecting the tool’s build server (Piriform) with CCBackdoor, along with information stealers and malware downloaders. This malware was added to the signed version 5.33 of the tool and widely distributed on CCleaner’s distribution site. The end result was 2.27 million downloads of the infected installation file.

Double Dragon

This dual cybercrime and espionage operation was carried out by APT41, a China-based threat group. As part of its Double Dragon campaign, APT41 gained a foothold into production environments and injected malicious code into signed versions of legitimate, widely distributed software. 

Mitigation

There are two ways that you can mitigate supply chain compromise. 

Vulnerability scanning

Organizations should monitor all vulnerability sources continuously. Both manual and automatic code review tools should be incorporated into the review process. 

Update, update, update!

Patch management should be used to check for:

  • Unused dependencies
  • Unmaintained dependencies
  • Previously vulnerable dependencies
  • Unnecessary features
  • Unnecessary components
  • Unnecessary files
  • Unnecessary documentation

Detection

There are several actions that will help with detection:

  • Verify distributed binaries with integrity checking mechanisms
  • Test software and updates before deployment for suspicious activity
  • Downloads should be scanned for malicious signatures
  • Perform physical inspections of all software and hardware for tampering

Conclusion

Supply chain compromise is an initial access attack technique listed in the MITRE ATT&CK matrix. Attackers take advantage of the trust that exists within supply chains to insert their malware somewhere in the levels of the supply chain. This point of infection can occur at any level of the supply chain, including trusted vendors that supply high-priority industries with hardware and software products. 

 

Sources

  1. Supply Chain Compromise, MITRE
  2. The MeDoc Connection, Talos Blog
  3. New investigations into the CCleaner incident point to a possible third stage that had keylogger capacities, Avast Blog
  4. Double Dragon: APT41, a dual espionage and cyber crime operation, FireEye