Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

09:00 AM
Connect Directly

Why Supply Chain Attacks Are Destined to Escalate

In his keynote address at Black Hat USA on Wednesday, Matt Tait, chief operating officer at Corellium, called for software platform vendors and security researchers to do their part to thwart the fallout of software supply chain compromises.

BLACK HAT USA 2021 - Las Vegas - The epic software supply chain attacks over the past year, including the high-profile breaches of SolarWinds, Microsoft Exchange Server, Kaseya, and Codecov, were only the beginning.

"Supply chain attacks are only just starting, and mostly with pretty small vendors that most people had not heard of beforehand," said Corellium COO Matt Tait, in a live conversation via video with Black Hat founder Jeff Moss. But what happens when these attacks get bigger and affect larger vendors and more of their customers?

Tait – who also delivered the prerecorded keynote, which was streamed on multiple large screens in a ballroom at the Mandalay Bay Conference Center in Las Vegas yesterday – said in the live portion of the event that the relative impact of these high-profile attacks could have been much worse given they were mostly targeted. He warned there will be more and they could well wreak more extensive and widespread damage to more organizations if the attackers hit larger targets with massive customer bases, such as the recent theft of source code from gaming giant EA Games.


"It's likely to start to escalate in the coming months and years," he said. "And when something really big happens ... everything else will look like complete peanuts" in comparison, he said. When a nation-state or cybercrime organization makes that leap and infiltrates more victims, it will no longer be a "sustainable" situation.

In his keynote, Tait, former information security specialist for the UK's GCHQ and more recently a member of Google's Project Zero team, outlined what he considers the three main factors that drove high-profile cyberattacks on Colonial Pipeline, Kaseya, Exchange Server, SolarWinds, and Codecov, as well as North Korea's targeting of security researchers and the NSO Pegasus Project iOS hacks.

While these attacks each were obviously different, they have a few common themes, he said. "The intrusions caused really big physical, real-world challenges," such as the temporary interruption in gasoline distribution after Colonial Pipeline's ransomware attack. And many were driven by a supply chain compromise. 

"Several were about stolen zero-days," as well, he said, pointing to the leaked Exchange flaw and North Korean nation-state hackers targeting security researchers to pilfer their findings. "Some of these working exploits got into the hands of offensive hackers who used these in massive attacks."  

Another factor, he said: a major increase in the number of zero-day exploits over the past year or so, especially on mobile devices. "The number of zero days being exploited in the wild is completely off the charts," Tait said. 

But the good news for now is that widespread exploitation of those previously unknown vulnerabilities remains rare, he noted. Both nation-state cyberspies and ransomware gangs have become more aggressive, to the point that it's starting to overwhelm defenders. "They want to do it in a way that's less costly" to breach their targets, he said.

Security researchers are prime targets. "If you're a security researcher and you're finding zero-days and they are high-impact, you are a target," Tait said. Attackers can more easily execute mass attacks if they can get hold of stolen or leaked exploits by researchers.

Katell Thielemann, vice president and analyst at Gartner, says supply chain breaches have indeed made hacking more cost-effective for attackers. 

"The nature of supply chains is that they produce network effects with hard-to-predict second, third, and n-order effects," she says. "They will increasingly be felt in the real world because now we are dealing with unsecure cyber-physical systems everywhere."

Supply chain also encompasses firmware, hardware, and GPS systems, she says, so it's not just a software problem. "The 'one-to-many' angle is out of the bag, but not just on the software front."

The 'Fix'
Tait said the only way to minimize these supply chain attacks is for software platform vendors to "fix the underlying technology." International or national governments can't solve the issue, he said. "Platform vendors have to step in."

For Windows, that means tightening up user privileges into one that developers use so if an app gets compromised, malware's impact is reduced.

Take mobile devices, which have been targeted with zero-day flaws of late, especially iOS. Third-party, legal scanning of mobile apps at scale should be available, he said. 

"We're only getting a tiny glimpse of what might be happening" on mobile devices right now, he warned, calling for the ability to install "security agents" on mobile and perform forensics on the devices. That's a missing link for spotting exploits on the devices, he said.

It's up to platform vendors to make these changes, Tait added. "Supply chains make massive exploitation by default and [make] ransomware mass destruction," he said.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-09-24
Vulnerability in Oracle Linux (component: OSwatcher). Supported versions that are affected are 7 and 8. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Linux executes to compromise Oracle Linux. Successful attacks of this vulnerability ca...
PUBLISHED: 2021-09-24
Tor Browser through 10.5.6 and 11.x through 11.0a4 allows a correlation attack that can compromise the privacy of visits to v2 onion addresses. If --log or --verbose is used, exact timestamps of these onion-service visits are logged locally, and an attacker might be able to compare them to timestamp...
PUBLISHED: 2021-09-24
A path traversal vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site. User-controlled configuration options used by GitHub Pages were not sufficiently restricted and made it possible to read files on the GitHub Enterprise Server instance...
PUBLISHED: 2021-09-24
An improper access control vulnerability in GitHub Enterprise Server allowed a workflow job to execute in a self-hosted runner group it should not have had access to. This affects customers using self-hosted runner groups for access control. A repository with access to one enterprise runner group co...
PUBLISHED: 2021-09-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.