The procurement challenge breaks open the black box that is commercial software

Oct. 22, 2024
Threats to software supply chains are eroding the existing enterprise software procurement model, so it’s time for a change.

For a period of weeks during the middle of 2023, a threat actor known as “Storm-0558” which is widely associated with the government of the People’s Republic of China, successfully compromised the Microsoft Exchange Online mailboxes of more than 500 individuals working for 22 organizations around the world - including the U.S. federal government, as well as organizations in Western Europe, the Asia-Pacific (APAC) region, Latin America, and the Middle East. 

The purpose of the campaign? Espionage. Targeted federal government email inboxes included those of leading U.S. national security players. The U.S. Department of State detected the breach in mid-June after the agency detected suspicious activity associated with several employees’ Outlook Web Access accounts. The incident was reported immediately to Microsoft, which assumed it resulted from a compromise of a State Department system. 

However, further investigation revealed that the threat actors accessed the State Department email accounts directly via Microsoft's Outlook Web Access portal. In other words, the breach was - in fact - of a Microsoft system, not a U.S. government platform, according to a report on the incident (PDF) published by the U.S. government’s Cyber Safety Review Board (CSRB) in April. 

What was China’s secret weapon in getting access to some of the most sensitive email accounts in the federal government? A compromised, seven-year-old Microsoft Services Account (MSA) cryptographic key. The attackers used the stolen key, which was supposed to have been retired in 2021, to sign access tokens to authenticate Storm-0558 actors as valid Outlook users. 

Despite the CSRB report, many details of the Microsoft breach by Storm-0558 remain a mystery, including how the threat actors originally obtained the MSA signing key. What is clear, however, is the growing risk that vulnerable software supply chains pose to both public and private entities and the growing stakes attached to securing the software and services that form the foundation of modern organizations. 

Software Supply Chain Risks on the Rise

More than ever, these growing risks mean that security teams will need to start going beyond the mitigation of software vulnerabilities or the hunting down of flaws in open-source software. Both have dominated discussions of software supply chain security (SSCS). As the Microsoft Exchange Online breach reminds us, however, business leaders must also focus both resources and attention on prying open the black box that is commercial software. I would argue that commercial software is the largest and most under-addressed attack surface in enterprises today. 

Consider, for example, the recent report by Blue Voyant, which found that 93% of companies have suffered a cybersecurity breach because of weaknesses in their supply chain/third-party vendors. These weaknesses result from pressing software supply chain security threats, such as malware insertion, code tampering, secrets exposure, and “software rot”- the gradual deterioration of security as software ages. Continuing to focus all our energies on identifying and patching vulnerabilities and open-source security risks will not protect enterprises from weaknesses like these – leaving them defenseless to costly, detrimental cybersecurity incidents like the breach of Microsoft and its customers.

At a time when regulators in both the U.S. and E.U. are challenging modern CISOs to be held accountable for their enterprise’s security, security leaders must ask themselves: “How do I know that the commercial software our company relies on is secure?” As a CISO, the standard of due care is no longer “did you know?” But rather: “Should you have known?”

Sidestepping Detection Through Software Supply Chain Compromises

The breach at Microsoft’s Exchange Online, as well as compromises of widely used applications like SolarWinds' Orion and 3CX’s desktop application, highlight how sophisticated threat actors are discarding common avenues of attack - such as account takeovers or the exploitation of known software vulnerabilities in public-facing assets. By doing so, they can sidestep detection tools and achieve their objectives. 

In each of these incidents, critical software supply chain components like signing keys, code repositories and build servers were compromised and manipulated to further the attackers’ goals. Software producers lack the tools to monitor and detect suspicious activity and tampering in their software. In addition, the vendors’ customers lack similar tools to vet software security and updates.

Supply Chain Carrots-and-Sticks 

These attacks on commercial software are just the beginning. Threat actors have yet to scratch the surface of all they can exploit in the commercial software procurement process. 

Fortunately, the federal government has been instituting policies that put the onus of software supply chain security (SSCS) on software producers. The 2021 Executive Order on Improving the Nation’s Cybersecurity (EO 14028) and the Cybersecurity and Infrastructure Security Agency’s Secure by Design Pledge stress comprehensive SSCS principles. The Food and Drug Administration (FDA) has also taken SSCS seriously via their mandate for medical device manufacturers to produce software bills of materials (SBOMs) for each of their products

And, increasingly, industry experts are calling for security leaders to amp up their SSCS programs and make supply chain security assessments part of the commercial software procurement process. For instance, in a new report from Gartner, “Leader’s Guide to Software Supply Chain Security,” the firm called out that existing SSCS efforts among enterprises “are often uncoordinated.” It stressed that security leaders should pay attention to software supply chain attacks, including proprietary and commercial code, which pose significant security, regulatory, and operational risks to organizations.

These attacks on commercial software are just the beginning. Threat actors have yet to scratch the surface of all they can exploit in the commercial software procurement process. 

While the push for CISOs and other security leaders to take responsibility for safe commercial software consumption seems daunting, there has never been a better time for these leaders to advocate for the severity of such threats to their enterprises. Especially when the estimated cost of software supply chain attacks “runs to tens of billions of dollars and is expected to grow 200% to $138 billion by 2031,” as Gartner said in their latest SSCS report. 

Wanted: New Tools to Stop Software Supply Chain Attacks

Enterprises already investing in tools and technologies to secure the commercial software procurement process may still lack SSCS. Traditional supply chain risk assessment tools, such as vendor self-attestation questionnaires, SBOMs, and penetration testing, cannot comprehensively assess supply chain threats. 

At the same time, traditional application security testing technologies like static and dynamic application security testing (SAST and DAST) and software composition analysis (SCA) are valuable for identifying software vulnerabilities or other issues (such as licensing) with open-source software but lack the ability to pierce the black box of commercial applications and identify threats in commercial software binaries. 

What is needed is the ability to peer inside commercial binaries to pinpoint the presence of malware, evidence of tampering or threats such as leaked development secrets, signing keys, and license issues lurking in the commercial software your teams rely on. This comprehensive technology will be essential for organizations looking to secure their commercial software procurement processes, in addition to preventing devastating incidents like those on Microsoft, SolarWinds, 3CX, CircleCI, Kaseya, Ivanti and so many others – which could have been prevented. 

About the Author

Saša Zdjelar | Chief Trust Officer (CTrO) at ReversingLabs and Operating Partner at Crosspoint Capital

 

Saša Zdjelar is the Chief Trust Officer (CTrO) at ReversingLabs and Operating Partner at Crosspoint Capital with ~20 years of Fortune 10 global executive leadership experience. His CTrO scope includes leadership, oversight and governance of the CISO/CSO function, including product security, as well as partnering with other leaders on corporate and product strategy, strategic partnerships and research, and customer and technology advisory boards, including sponsoring the ReversingLabs CISO Council. Before ReversingLabs and Crosspoint Capital, Saša served as the Senior Vice President of Security at Salesforce, where he led a global organization encompassing enterprise security, product security, offensive security, security engineering/automation, bug bounty programs, technical product/program/project management, and mergers & acquisitions. He also was the executive sponsor for strategic corporate security initiatives, such as Zero Trust.

Saša holds a bachelor’s degree in management and a Master's in Decision Science from the University of Florida.