The recent string of supply chain attacks against software companies has resulted in some serious, widespread consequences for the vendors themselves, as well as their customers, and even federal government agencies. But, unless major platform vendors take the initiative and make some significant changes to their platforms and processes, things could get quite a bit worse in the near future.
Although it happened relatively recently, the SolarWinds intrusion is already the canonical example of the damage that a supply chain compromise can cause. The attack, which began in December 2020 with a compromise of the company's internal network, eventually led to the installation of a malicious update for the SolarWinds Orion platform being installed on about 18,000 customers’ networks. While only a small fraction of those organizations were further exploited, several of them were U.S. government agencies, and others included Microsoft and FireEye.
Other similar attacks have followed, including the Kaseya intrusion in July, and though the effects from both of those operations are still being sort out, Matt Tait, the COO of Corellium and a former information security specialist for the British GCHQ intelligence agency, said those incidents may soon fade into the background if desktop and mobile platform owners don’t shift their thinking.
“Supply chain attacks really only just started. It’s mostly been pretty small vendors. It’s likely to escalate in the coming months and years and when that happens it’s going to make everything that’s come before look like peanuts,” Tait said during the opening keynote at the Black Hat USA conference Wednesday.
“Untargeted supply chain attacks cause massive disruption. They are huge by default. They work in different ways. In supply chain intrusions they are huge by default.”
While SolarWinds has tens of thousands of enterprise customers and the intrusion was quite damaging, a similar intrusion at Microsoft or Apple or Google could have catastrophic consequences. Those companies employ some of the top security talent in the industry and collectively have decades of experience hardening their networks and platforms, but the adversaries who conduct supply chain attacks sit at the top of the food chain, as well. They tend to be intelligence agencies, military teams, or very high level cybercrime groups. In other words, they’re well-funded, skilled, and resourceful. They understand the value of compromising one major vendor rather than targeting hundreds or thousands of its customers.
If an adversary has access to a zero day exploit chain, as many of the top adversaries do, it is far better served using it to gain access to an upstream software provider than using it for mass exploitation of other organizations. Those chains are expensive to develop and adversaries tend to use them selectively.
“Zero day vulnerabilities have become much harder against hardened platform security systems. You’re probably not going to have just one vulnerability in that system, but a full chain and these things are very expensive,” Tait said.
“Every time an actor who has one of these wants to use it on an observable platform, it runs the risk of it being detected. This is cost and for governments who care about operational security, they might need to retool and rebuild infrastructure and this is all cost.”
“The government isn’t going to fix this. It’s not going to be fixed by a consortium of international governments."
The Biden administration has made software supply chain security a major focus over the last few months, issuing executive orders and working with private sector companies to develop strategies for securing the software pipelines. But government policies and encouragement can only do so much. Real change has to come from the handful of platform providers themselves, who control the update and security mechanisms for the vast majority of devices.
“The government isn’t going to fix this. It’s not going to be fixed by a consortium of international governments. The only way to fix it is to fix the underlying technologies. This requires platform vendors to step in. There are some easy sounding answers, but they all suck,” Tait said.
There are some answers that are less terrible, but they’re much more difficult and require fundamental changes in the way that platform providers handle their software and hardware. On the desktop side, Tait suggested that Microsoft change the privilege system in Windows, moving to a more granular approach.
“They need to break privileges apart into a more workable system of entitlements,” Tait said.
For mobile apps, Tait said allowing legal, mass scanning of apps in the Apple and Google stores would go a long way toward finding malware and potentially malicious behavior. As it stands, both Apple and Google perform their own security scans of submitted apps, but third-party vendors don’t have the ability to do so.
“Mass scanning of mobile systems and apps should be possible. Platform vendors should allow scanning app store apps at scale,” he said.
“We’re always going to need to trust platform vendors, but we also have this colossal other set of people we have to trust. Platform vendors can help reduce that down to a minimum.”