Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.
Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Avast CCleaner3 2018)(Citation: Command Five SK 2011)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
intel-txt | Intel Trusted Execution Technology | Win 11, System Guard Secure Launch | T1195.002 | Compromise Software Supply Chain |
Comments
System Guard Secure Launch uses a technology called Dynamic Root of Trust Measurement (DRTM). It leverages Intel PTT (TPM) and TXT to provide secure methods to boot a system and verify the integrity of the operating system and loading mechanisms. System Guard Secure Launch ensures that the system can freely boot into untrusted code initially, but shortly after launches the system into a trusted state by taking control of all CPUs and forcing them down a well-known and measured code path. This has the benefit of allowing untrusted early code to boot the system but then being able to securely transition into a trusted and measured state. The ability to transition in real-time to a secure state justified the score of significant for this feature and its corresponding protection (E.g., bootkit, rootkit, firmware corruption, etc.).
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
CVE-2021-44529 | Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability | primary_impact | T1195.002 | Compromise Software Supply Chain |
Comments
This vulnerability is exploited after an adversary sends a maliciously crafted cookie to the client endpoint (/client/index.php) to exploit Ivanti systems that utilized a malicious version of the "csrf-magic", which creates a backdoor into an Ivanti system. An unauthorized user can then execute malicious code stored in the cookie via Ivanti's "nobody" user account.
References
|
CVE-2024-4978 | Justice AV Solutions (JAVS) Viewer Installer Embedded Malicious Code Vulnerability | exploitation_technique | T1195.002 | Compromise Software Supply Chain |
Comments
CVE-2024-4978 is a vulnerability where compromised software is signed and hosted on the legitimate software distribution website. Adversaries have been observed to use this backdoored software to install additional tools on target machines. The adversary-installed software establishing persistent communications with a command-and-control (C2) server using Windows sockets and WinHTTP requests. Once successfully connected, it transmits data about the compromised host, including hostname, operating system details, processor architecture, program working directory and the user name to the C2.
References
|