MITRE ATT&CK: Supply chain compromise
Supply chain compromise is a cyberattack technique that targets the software development and distribution processes to inject malicious code or tamper with legitimate software components. It is an initial access technique listed in the MITRE ATT&CK framework, which is a knowledge base of adversary tactics and techniques based on real-world observations.
MITRE ATT CK: Supply Chain Compromise
Supply chain compromise can take place at any stage of the supply chain, from manipulation of development tools and environments to manipulation of developed products and tools distribution mechanisms. This may involve the compromise and replacement of legitimate software and patches, such as on third party or vendor websites.
Supply chain compromise can affect both enterprise and industrial control systems (ICS) environments. In enterprise environments, adversaries may use supply chain compromise to gain initial access to a target network and then move on to additional tactics on specific victims. In ICS environments, adversaries may use supply chain compromise to gain control systems environment access by means of infected products, software, and workflows.
Some examples of supply chain compromise attacks are:
The SolarWinds attack, in which a sophisticated adversary compromised the software update mechanism of SolarWinds Orion, a widely used network management software, and delivered a backdoor to thousands of customers.
The CCleaner attack, in which an adversary inserted malicious code into the installer of CCleaner, a popular system optimization tool, and distributed it to millions of users via the official website.
The Dragonfly campaign, in which an adversary trojanized legitimate ICS equipment providers software packages available for download on their websites and infected the systems of energy sector organizations.
To mitigate the risk of supply chain compromise, organizations should implement security best practices such as:
Verifying the integrity and authenticity of downloaded software and updates through hash checking or other mechanisms.
Scanning downloads for malicious signatures and testing software and updates prior to deployment.
Performing audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.
Performing physical inspection of hardware to look for potential tampering.
Using reputable sources for software and hardware procurement.
References:
[Infosec]
[MITRE ATT&CKÂ - Enterprise]
[MITRE ATT&CKÂ - ICS]
[Medium]
[Microsoft](https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/)
[Avast](https://blog.avast.com/new-investigations-into-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities)
[Symantec](https://www.symantec.com/blogs/threat-intelligence/dragonfly-western-energy-sector-targeted)
a104e7fe7e