Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

09:00 AM
Connect Directly

Why Supply Chain Attacks Are Destined to Escalate

In his keynote address at Black Hat USA on Wednesday, Matt Tait, chief operating officer at Corellium, called for software platform vendors and security researchers to do their part to thwart the fallout of software supply chain compromises.

BLACK HAT USA 2021 - Las Vegas - The epic software supply chain attacks over the past year, including the high-profile breaches of SolarWinds, Microsoft Exchange Server, Kaseya, and Codecov, were only the beginning.

"Supply chain attacks are only just starting, and mostly with pretty small vendors that most people had not heard of beforehand," said Corellium COO Matt Tait, in a live conversation via video with Black Hat founder Jeff Moss. But what happens when these attacks get bigger and affect larger vendors and more of their customers?

Tait – who also delivered the prerecorded keynote, which was streamed on multiple large screens in a ballroom at the Mandalay Bay Conference Center in Las Vegas yesterday – said in the live portion of the event that the relative impact of these high-profile attacks could have been much worse given they were mostly targeted. He warned there will be more and they could well wreak more extensive and widespread damage to more organizations if the attackers hit larger targets with massive customer bases, such as the recent theft of source code from gaming giant EA Games.


"It's likely to start to escalate in the coming months and years," he said. "And when something really big happens ... everything else will look like complete peanuts" in comparison, he said. When a nation-state or cybercrime organization makes that leap and infiltrates more victims, it will no longer be a "sustainable" situation.

In his keynote, Tait, former information security specialist for the UK's GCHQ and more recently a member of Google's Project Zero team, outlined what he considers the three main factors that drove high-profile cyberattacks on Colonial Pipeline, Kaseya, Exchange Server, SolarWinds, and Codecov, as well as North Korea's targeting of security researchers and the NSO Pegasus Project iOS hacks.

While these attacks each were obviously different, they have a few common themes, he said. "The intrusions caused really big physical, real-world challenges," such as the temporary interruption in gasoline distribution after Colonial Pipeline's ransomware attack. And many were driven by a supply chain compromise. 

"Several were about stolen zero-days," as well, he said, pointing to the leaked Exchange flaw and North Korean nation-state hackers targeting security researchers to pilfer their findings. "Some of these working exploits got into the hands of offensive hackers who used these in massive attacks."  

Another factor, he said: a major increase in the number of zero-day exploits over the past year or so, especially on mobile devices. "The number of zero days being exploited in the wild is completely off the charts," Tait said. 

But the good news for now is that widespread exploitation of those previously unknown vulnerabilities remains rare, he noted. Both nation-state cyberspies and ransomware gangs have become more aggressive, to the point that it's starting to overwhelm defenders. "They want to do it in a way that's less costly" to breach their targets, he said.

Security researchers are prime targets. "If you're a security researcher and you're finding zero-days and they are high-impact, you are a target," Tait said. Attackers can more easily execute mass attacks if they can get hold of stolen or leaked exploits by researchers.

Katell Thielemann, vice president and analyst at Gartner, says supply chain breaches have indeed made hacking more cost-effective for attackers. 

"The nature of supply chains is that they produce network effects with hard-to-predict second, third, and n-order effects," she says. "They will increasingly be felt in the real world because now we are dealing with unsecure cyber-physical systems everywhere."

Supply chain also encompasses firmware, hardware, and GPS systems, she says, so it's not just a software problem. "The 'one-to-many' angle is out of the bag, but not just on the software front."

The 'Fix'
Tait said the only way to minimize these supply chain attacks is for software platform vendors to "fix the underlying technology." International or national governments can't solve the issue, he said. "Platform vendors have to step in."

For Windows, that means tightening up user privileges into one that developers use so if an app gets compromised, malware's impact is reduced.

Take mobile devices, which have been targeted with zero-day flaws of late, especially iOS. Third-party, legal scanning of mobile apps at scale should be available, he said. 

"We're only getting a tiny glimpse of what might be happening" on mobile devices right now, he warned, calling for the ability to install "security agents" on mobile and perform forensics on the devices. That's a missing link for spotting exploits on the devices, he said.

It's up to platform vendors to make these changes, Tait added. "Supply chains make massive exploitation by default and [make] ransomware mass destruction," he said.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-09-22
Leo Editor v6.2.1 was discovered to contain a regular expression denial of service (ReDoS) vulnerability in the component plugins/importers/dart.py.
PUBLISHED: 2021-09-22
CMS Made Simple 2.2.14 was discovered to contain a cross-site scripting (XSS) vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the Field Definition text field.
PUBLISHED: 2021-09-22
gmate v0.12+bionic contains a regular expression denial of service (ReDoS) vulnerability in the gedit3 plugin.
PUBLISHED: 2021-09-22
The vCenter Server contains a local privilege escalation vulnerability due to the way it handles session tokens. A malicious actor with non-administrative user access on vCenter Server host may exploit this issue to escalate privileges to Administrator on the vSphere Client (HTML5) or vCenter Server...
PUBLISHED: 2021-09-22
The vCenter Server contains a denial-of-service vulnerability due to improper XML entity parsing. A malicious actor with non-administrative user access to the vCenter Server vSphere Client (HTML5) or vCenter Server vSphere Web Client (FLEX/Flash) may exploit this issue to create a denial-of-service ...