T1195.002 Compromise Software Supply Chain
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.
Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.12
Item | Value |
---|---|
ID | T1195.002 |
Sub-techniques | T1195.001, T1195.002, T1195.003 |
Tactics | TA0001 |
Platforms | Linux, Windows, macOS |
Version | 1.1 |
Created | 11 March 2020 |
Last Modified | 28 April 2022 |
Procedure Examples
ID | Name | Description |
---|---|---|
G0096 | APT41 | APT41 gained access to production environments where they could inject malicious code into legitimate, signed files and widely distribute them to end users.16 |
S0222 | CCBkdr | CCBkdr was added to a legitimate, signed version 5.33 of the CCleaner software and distributed on CCleaner’s distribution site.451 |
G0080 | Cobalt Group | Cobalt Group has compromised legitimate web browser updates to deliver a backdoor. 15 |
G0035 | Dragonfly | Dragonfly has placed trojanized installers for control system software on legitimate vendor app stores.1718 |
G0115 | GOLD SOUTHFIELD | GOLD SOUTHFIELD has distributed ransomware by backdooring software installers via a strategic web compromise of the site hosting Italian WinRAR.121314 |
S0493 | GoldenSpy | GoldenSpy has been packaged with a legitimate tax preparation software.6 |
G0034 | Sandworm Team | Sandworm Team has distributed NotPetya by compromising the legitimate Ukrainian accounting software M.E.Doc and replacing a legitimate software update with a malicious one.10911 |
C0024 | SolarWinds Compromise | During the SolarWinds Compromise, APT29 gained initial network access to some victims via a trojanized update of SolarWinds Orion software.22192120 |
S0562 | SUNSPOT | SUNSPOT malware was designed and used to insert SUNBURST into software builds of the SolarWinds Orion IT management product.7 |
G0027 | Threat Group-3390 | Threat Group-3390 has compromised the Able Desktop installer to gain access to victim’s environments.8 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1051 | Update Software | A patch management process should be implemented to check unused applications, unmaintained and/or previously vulnerable software, unnecessary features, components, files, and documentation. |
M1016 | Vulnerability Scanning | Continuous monitoring of vulnerability sources and the use of automatic and manual code review tools should also be implemented as well.3 |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0022 | File | File Metadata |
References
-
Avast Threat Intelligence Team. (2018, March 8). New investigations into the CCleaner incident point to a possible third stage that had keylogger capacities. Retrieved March 15, 2018. ↩↩
-
Command Five Pty Ltd. (2011, September). SK Hack by an Advanced Persistent Threat. Retrieved April 6, 2018. ↩
-
OWASP. (2018, February 23). OWASP Top Ten Project. Retrieved April 3, 2018. ↩
-
Brumaghin, E. et al. (2017, September 18). CCleanup: A Vast Number of Machines at Risk. Retrieved March 9, 2018. ↩
-
Rosenberg, J. (2017, September 20). Evidence Aurora Operation Still Active: Supply Chain Attack Through CCleaner. Retrieved February 13, 2018. ↩
-
Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020. ↩
-
CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021. ↩
-
Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021. ↩
-
Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020. ↩
-
Counter Threat Research Team. (2017, June 28). NotPetya Campaign: What We Know About the Latest Global Ransomware Attack. Retrieved June 11, 2020. ↩
-
Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. ↩
-
Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020. ↩
-
Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020. ↩
-
Secureworks. (n.d.). GOLD SOUTHFIELD. Retrieved October 6, 2020. ↩
-
Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. ↩
-
Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. ↩
-
Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020. ↩
-
Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021. ↩
-
FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021. ↩
-
MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021. ↩
-
NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021. ↩
-
Sudhakar Ramakrishna . (2021, January 11). New Findings From Our Investigation of SUNBURST. Retrieved January 13, 2021. ↩