Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

End of Bibblio RCM includes -->
09:00 AM
Connect Directly

Why Supply Chain Attacks Are Destined to Escalate

In his keynote address at Black Hat USA on Wednesday, Matt Tait, chief operating officer at Corellium, called for software platform vendors and security researchers to do their part to thwart the fallout of software supply chain compromises.

BLACK HAT USA 2021 - Las Vegas - The epic software supply chain attacks over the past year, including the high-profile breaches of SolarWinds, Microsoft Exchange Server, Kaseya, and Codecov, were only the beginning.

"Supply chain attacks are only just starting, and mostly with pretty small vendors that most people had not heard of beforehand," said Corellium COO Matt Tait, in a live conversation via video with Black Hat founder Jeff Moss. But what happens when these attacks get bigger and affect larger vendors and more of their customers?

Tait – who also delivered the prerecorded keynote, which was streamed on multiple large screens in a ballroom at the Mandalay Bay Conference Center in Las Vegas yesterday – said in the live portion of the event that the relative impact of these high-profile attacks could have been much worse given they were mostly targeted. He warned there will be more and they could well wreak more extensive and widespread damage to more organizations if the attackers hit larger targets with massive customer bases, such as the recent theft of source code from gaming giant EA Games.


"It's likely to start to escalate in the coming months and years," he said. "And when something really big happens ... everything else will look like complete peanuts" in comparison, he said. When a nation-state or cybercrime organization makes that leap and infiltrates more victims, it will no longer be a "sustainable" situation.

In his keynote, Tait, former information security specialist for the UK's GCHQ and more recently a member of Google's Project Zero team, outlined what he considers the three main factors that drove high-profile cyberattacks on Colonial Pipeline, Kaseya, Exchange Server, SolarWinds, and Codecov, as well as North Korea's targeting of security researchers and the NSO Pegasus Project iOS hacks.

While these attacks each were obviously different, they have a few common themes, he said. "The intrusions caused really big physical, real-world challenges," such as the temporary interruption in gasoline distribution after Colonial Pipeline's ransomware attack. And many were driven by a supply chain compromise. 

"Several were about stolen zero-days," as well, he said, pointing to the leaked Exchange flaw and North Korean nation-state hackers targeting security researchers to pilfer their findings. "Some of these working exploits got into the hands of offensive hackers who used these in massive attacks."  

Another factor, he said: a major increase in the number of zero-day exploits over the past year or so, especially on mobile devices. "The number of zero days being exploited in the wild is completely off the charts," Tait said. 

But the good news for now is that widespread exploitation of those previously unknown vulnerabilities remains rare, he noted. Both nation-state cyberspies and ransomware gangs have become more aggressive, to the point that it's starting to overwhelm defenders. "They want to do it in a way that's less costly" to breach their targets, he said.

Security researchers are prime targets. "If you're a security researcher and you're finding zero-days and they are high-impact, you are a target," Tait said. Attackers can more easily execute mass attacks if they can get hold of stolen or leaked exploits by researchers.

Katell Thielemann, vice president and analyst at Gartner, says supply chain breaches have indeed made hacking more cost-effective for attackers. 

"The nature of supply chains is that they produce network effects with hard-to-predict second, third, and n-order effects," she says. "They will increasingly be felt in the real world because now we are dealing with unsecure cyber-physical systems everywhere."

Supply chain also encompasses firmware, hardware, and GPS systems, she says, so it's not just a software problem. "The 'one-to-many' angle is out of the bag, but not just on the software front."

The 'Fix'
Tait said the only way to minimize these supply chain attacks is for software platform vendors to "fix the underlying technology." International or national governments can't solve the issue, he said. "Platform vendors have to step in."

For Windows, that means tightening up user privileges into one that developers use so if an app gets compromised, malware's impact is reduced.

Take mobile devices, which have been targeted with zero-day flaws of late, especially iOS. Third-party, legal scanning of mobile apps at scale should be available, he said. 

"We're only getting a tiny glimpse of what might be happening" on mobile devices right now, he warned, calling for the ability to install "security agents" on mobile and perform forensics on the devices. That's a missing link for spotting exploits on the devices, he said.

It's up to platform vendors to make these changes, Tait added. "Supply chains make massive exploitation by default and [make] ransomware mass destruction," he said.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file