Description
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.
Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Avast CCleaner3 2018)(Citation: Command Five SK 2011)
Platforms
Mitigations (2)
Update SoftwareM1051
A patch management process should be implemented to check unused applications, unmaintained and/or previously vulnerable software, unnecessary features, components, files, and documentation.
Vulnerability ScanningM1016
Continuous monitoring of vulnerability sources and the use of automatic and manual code review tools should also be implemented as well.(Citation: OWASP Top 10)
Threat Groups (9)
| ID | Group | Context |
|---|---|---|
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) gained access to production environments where they could inject malicious code into legitimate, signed... |
| G0080 | Cobalt Group | [Cobalt Group](https://attack.mitre.org/groups/G0080) has compromised legitimate web browser updates to deliver a backdoor. (Citation: Crowdstrike GTR... |
| G0115 | GOLD SOUTHFIELD | [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) has distributed ransomware by backdooring software installers via a strategic web compromise ... |
| G0034 | Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has distributed [NotPetya](https://attack.mitre.org/software/S0368) by compromising the legitim... |
| G0035 | Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has placed trojanized installers for control system software on legitimate vendor app stores.(Citat... |
| G0027 | Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) has compromised the Able Desktop installer to gain access to victim's environments.(Citatio... |
| G1034 | Daggerfly | [Daggerfly](https://attack.mitre.org/groups/G1034) is associated with several supply chain compromises using malicious updates to compromise victims.(... |
| G1036 | Moonstone Sleet | [Moonstone Sleet](https://attack.mitre.org/groups/G1036) has distributed a trojanized version of PuTTY software for initial access to victims.(Citatio... |
| G0046 | FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) has gained initial access by compromising a victim's software supply chain.(Citation: Mandiant FIN7 Apr ... |
Associated Software (3)
| ID | Name | Type | Context |
|---|---|---|---|
| S0493 | GoldenSpy | Malware | [GoldenSpy](https://attack.mitre.org/software/S0493) has been packaged with a legitimate tax preparation software.(Citation: Trustwave GoldenSpy June ... |
| S0562 | SUNSPOT | Malware | [SUNSPOT](https://attack.mitre.org/software/S0562) malware was designed and used to insert [SUNBURST](https://attack.mitre.org/software/S0559) into so... |
| S0222 | CCBkdr | Malware | [CCBkdr](https://attack.mitre.org/software/S0222) was added to a legitimate, signed version 5.33 of the CCleaner software and distributed on CCleaner'... |
References
- Avast Threat Intelligence Team. (2018, March 8). New investigations into the CCleaner incident point to a possible third stage that had keylogger capacities. Retrieved March 15, 2018.
- Command Five Pty Ltd. (2011, September). SK Hack by an Advanced Persistent Threat. Retrieved November 17, 2024.
Frequently Asked Questions
What is T1195.002 (Compromise Software Supply Chain)?
T1195.002 is a MITRE ATT&CK technique named 'Compromise Software Supply Chain'. It belongs to the Initial Access tactic(s). Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of way...
How can T1195.002 be detected?
Detection of T1195.002 (Compromise Software Supply Chain) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1195.002?
There are 2 documented mitigations for T1195.002. Key mitigations include: Update Software, Vulnerability Scanning.
Which threat groups use T1195.002?
Known threat groups using T1195.002 include: APT41, Cobalt Group, GOLD SOUTHFIELD, Sandworm Team, Dragonfly, Threat Group-3390, Daggerfly, Moonstone Sleet.