While supply chain compromise can impact any component of hardware or software, adversaries looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels. Targeting may be specific to a desired victim set or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency.
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.
Attackers are well known to install malicious software, or malware, onto compromised systems during a cyberattack. But what many may not know is that this is not the first opportunity attackers may have to sneak malware onto a machine. The supply chain that provides systems for organizations is also at risk of attack.
This article will detail the supply chain compromise attack technique enumerated in the MITRE ATT&CK matrix. We will explore the MITRE ATT&CK matrix, the supply chain compromise attack technique, the danger of this attack technique and some real-world examples of supply chain compromise, as well as how to mitigate and detect it.
Supply chain compromise refers to the manipulation of products or delivery mechanisms for the purpose of information or system compromise before the final consumer receives said products. This compromise can negatively impact any hardware or software component and even update channels. Widely-used open-source products used by many applications are included in the supply chain, making them popular targets for attackers.
The supply chain used by many organizations is a multi-stage process that begins at time of product development and ends when it lands in the hands of the end consumer. Below is a list of just some of the ways these stages may be compromised:
This malware was introduced in Ukraine as a backdoor for tax accounting software M.E.Doc in 2017. In this cyberattack, cybercriminals infected software that a trusted software vendor used in high-priority environments. This provides a good example of how abuse of trusted relationships is at the heart of supply chain compromise.
Supply chain compromise is an initial access attack technique listed in the MITRE ATT&CK matrix. Attackers take advantage of the trust that exists within supply chains to insert their malware somewhere in the levels of the supply chain. This point of infection can occur at any level of the supply chain, including trusted vendors that supply high-priority industries with hardware and software products.
Hiroki Suezawa, senior security engineer at GitLab, stated that the framework gives the security community a single point of reference to proactively assess their own strategies for securing their software supply chains and to compare solutions to help security teams build their security strategy with confidence.
Software supply chain security is high on the agenda for businesses and the security industry as software supply chain-related compromises and risks continue to impact organizations across the globe. In September last year, the US National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA) and the Office of the Director of National Intelligence (ODNI) published Securing the Software Supply Chain: Recommended Practices Guide for Developers. The publication emphasizes the role developers play in creating secure software and provides guidance in line with industry best practices and principles which software developers are strongly encouraged to reference.
Modern software is constantly in flux, so the attack surface for supply chains keeps increasing as well. As demonstrated by Google, vulnerabilities can be found in multiple points of development processes. And they have to do with multiple MITRE ATT&CK tactics, including Initial Access and its corresponding technique, Supply Chain Compromise (T1195).
Entry points for initial access attacks over supply chains may include compromised websites, digital certification authorities, open-source libraries, misconfigured public cloud storage buckets, and more. A quick reference from National Counterintelligence and Security Center (NCSC) might be useful.
Both commercial and open source software vendors need to be vigilant and need to be held accountable for the protection of their Systems and Software Development Life Cycle to ensure cascading supply chain attacks do not have a downstream effect on their customer base. For enterprises, Least Privilege reigns and needs to be the rule, not the exception. MITRE ATT&CK, while valuable for establishing an overall taxonomy for describing attacker techniques, is unwieldy for most enterprises who want to summarize the front to back activities of an attack.
Bottom line: If you trust a software vendor implicitly, a compromise of that vendor can and will result in your own company being compromised. Implicit trust of this kind leads to cascading supply chain compromise. Below are the specific techniques identified in the framework that can be attributed to known activities by the malicious actor behind the attack.
No matter how mature an organization, defending against a supply chain compromise of this sophisticated nature is almost impossible. Even with processes for static code analysis, a software bill of materials, and testing/QA environments, a signed piece of code from a trusted vendor will almost always slip through the cracks.
Are you applying the MITRE ATT&CK for ICS Matrix like you should be? Using the supply chain compromise scenario that we outlined in our recent blog post, we explain how ICS asset owners can leverage diverse data collection methods to create a threat-informed defense using the MITRE ATT&CK for ICS Matrix.
As we break down the rest of the MITRE ATT&CK tactics from this supply chain compromise and how to detect them, we also give you helpful tips on optimizing your use of the MITRE ATT&CK for ICS Matrix. In this video, we cover:
Throughout the past three years, a large number of open source software package repositories have been found to contain malware of various types. Major repositories include the Arch Linux User Repository (AUR), Node.js NPM registry, the Ubuntu Snap Store, RubyGems, and the Python package repository PyPI. It is clear that all of the installation and update pathways for software and library code used in an organization must have security controls applied to them to prevent and mitigate supply chain attacks. What follows is an overview of the policies and procedures to prevent, control, and mitigate a supply chain attack according to the NIST Cybersecurity Framework. Included are specific case studies and concrete examples of how to use the ReversingLabs A1000 within these processes.
The next two core functions in the NIST framework are protect and detect. These are for developing safeguards to ensure the safety of the software supply chain and to detect malicious code that may compromise the organization. The most important aspect of the protect core framework function with regards to supply chain is to log all maintenance, specifically software upgrades. In addition to the upgrade logs, the results of software testing such as done using the ReversingLabs A1000 should be documented for later analysis or forensics.
In any security program, it is essential to have processes that are repeatable and automated. Outlined in the detect core function of the NIST framework, is continuous monitoring. The specific control of malicious code protection in turn describes periodic scans. In the case of software supply chain analysis, this process can be an automated component of change management. This can include programmatic comparison of the API output from the A1000 in the specific fields checked in the examples above: capabilities and indicators. Any change in the number or type of entries in these fields should trigger an alert and kick off human intervention and deeper analysis. 2b1af7f3a8