Dark Mode
Capec-446 Detail
Malicious Logic Insertion into Product via Inclusion of Third-Party Component
Detailed Supply Chain Software Hardware Likelihood: Medium Typical Severity: High
Parents: 444
Threats: T62 T68 T274 T393
An adversary conducts supply chain attacks by the inclusion of insecure third- party components into a technology, product, or code-base, possibly packaging a malicious driver or component along with the product before shipping it to the consumer or acquirer.
The result is a window of opportunity for exploiting the product until the insecure component is discovered. This supply chain threat can result in the installation of malicious software or hardware that introduces widespread security vulnerabilities within an organization. Additionally, because software often depends upon a large number of interdependent libraries and components to be present, security holes can be introduced merely by installing Commercial off the Shelf (COTS) or Open Source Software (OSS) software that comes pre-packaged with the components required for it to operate. It is also worth noting that this attack can occur during initial product development or throughout a product's sustainment.
| External ID | Source | Link | Description |
|---|---|---|---|
| CAPEC-446 | capec | https://capec.mitre.org/data/definitions/446.html | |
| T1195 | ATTACK | https://attack.mitre.org/wiki/Technique/T1195 | Supply Chain Compromise |
| REF-379 | reference_from_CAPEC | https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1-draft2.pdf | Jon Boyens, Angela Smith, Nadya Bartol, Kris Winkler, Alex Holbrook, Matthew Fallon, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (2nd Draft), 2021--10---28, National Institute of Standards and Technology (NIST) |
| REF-707 | reference_from_CAPEC | https://www.forbes.com/sites/thomasbrewster/2015/02/19/superfish-need-to-know/?sh=991ab8c38776 | Thomas Brewster, How Lenovo's Superfish 'Malware' Works And What You Can Do To Kill It, 2015--02---19, Forbes |
| REF-708 | reference_from_CAPEC | https://arstechnica.com/information-technology/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/ | Dan Goodin, Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS connections, 2015--02---19, Ars Technica |
| REF-709 | reference_from_CAPEC | https://blog.erratasec.com/2015/02/extracting-superfish-certificate.html#.VOX5Ky57RqE | Rob Graham, Extracting the SuperFish certificate, 2015--02---19, Errata Security |
| REF-713 | reference_from_CAPEC | https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies | Jordan Robertson, Michael Riley, The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies, 2018--10---04, Bloomberg |
Not present
- Access to the product during the initial or continuous development. This access is often obtained via insider access to include the third-party component after deployment.
Not present
Not present
| Authorization |
|---|
| Execute Unauthorized Commands |
- From mid-2014 to early 2015, Lenovo computers were shipped with the Superfish Visual Search software that ultimately functioned as adware on the system. The Visual Search installation included a self-signed root HTTPS certificate that was able to intercept encrypted traffic for any site visited by the user. Of more concern was the fact that the certificate's corresponding private key was the same for every Lenovo machine. Once the private key was discovered [REF-709], an adversary could then conduct an Adversary-in-the-Middle (AitM) attack that would go undetected by machines that had this certificate installed on it. Adversaries could then masquerade as legitimate entities such as financial institutions, popular corporations, or other secure destinations on the Internet. [REF-708]
- In 2018 it was discovered that Chinese spies infiltrated several U.S. government agencies and corporations as far back as 2015 by including a malicious microchip within the motherboard of servers sold by Elemental Technologies to the victims. Although these servers were assembled via a U.S. based company, the motherboards used within the servers were manufactured and maliciously altered via a Chinese subcontractor. Elemental Technologies then sold these malicious servers to various U.S. government agencies, such as the DoD and CIA, and corporations like Amazon and Apple. The malicious microchip provided adversaries with a backdoor into the system, which further allowed them to access any network that contained the exploited systems, to exfiltrate data to be sent to the Chinese government.[REF-713]