BLACK HAT USA 2021 - Las Vegas - The epic software supply chain attacks over the past year, including the high-profile breaches of SolarWinds, Microsoft Exchange Server, Kaseya, and Codecov, were only the beginning.

"Supply chain attacks are only just starting, and mostly with pretty small vendors that most people had not heard of beforehand," said Corellium COO Matt Tait, in a live conversation via video with Black Hat founder Jeff Moss. But what happens when these attacks get bigger and affect larger vendors and more of their customers?

Tait – who also delivered the prerecorded keynote, which was streamed on multiple large screens in a ballroom at the Mandalay Bay Conference Center in Las Vegas yesterday – said in the live portion of the event that the relative impact of these high-profile attacks could have been much worse given they were mostly targeted. He warned there will be more and they could well wreak more extensive and widespread damage to more organizations if the attackers hit larger targets with massive customer bases, such as the recent theft of source code from gaming giant EA Games.

"It's likely to start to escalate in the coming months and years," he said. "And when something really big happens ... everything else will look like complete peanuts" in comparison, he said. When a nation-state or cybercrime organization makes that leap and infiltrates more victims, it will no longer be a "sustainable" situation.

In his keynote, Tait, former information security specialist for the UK's GCHQ and more recently a member of Google's Project Zero team, outlined what he considers the three main factors that drove high-profile cyberattacks on Colonial Pipeline, Kaseya, Exchange Server, SolarWinds, and Codecov, as well as North Korea's targeting of security researchers and the NSO Pegasus Project iOS hacks.

While these attacks each were obviously different, they have a few common themes, he said. "The intrusions caused really big physical, real-world challenges," such as the temporary interruption in gasoline distribution after Colonial Pipeline's ransomware attack. And many were driven by a supply chain compromise. 

"Several were about stolen zero-days," as well, he said, pointing to the leaked Exchange flaw and North Korean nation-state hackers targeting security researchers to pilfer their findings. "Some of these working exploits got into the hands of offensive hackers who used these in massive attacks."  

Another factor, he said: a major increase in the number of zero-day exploits over the past year or so, especially on mobile devices. "The number of zero days being exploited in the wild is completely off the charts," Tait said. 

But the good news for now is that widespread exploitation of those previously unknown vulnerabilities remains rare, he noted. Both nation-state cyberspies and ransomware gangs have become more aggressive, to the point that it's starting to overwhelm defenders. "They want to do it in a way that's less costly" to breach their targets, he said.

Security researchers are prime targets. "If you're a security researcher and you're finding zero-days and they are high-impact, you are a target," Tait said. Attackers can more easily execute mass attacks if they can get hold of stolen or leaked exploits by researchers.

Katell Thielemann, vice president and analyst at Gartner, says supply chain breaches have indeed made hacking more cost-effective for attackers. 

"The nature of supply chains is that they produce network effects with hard-to-predict second, third, and n-order effects," she says. "They will increasingly be felt in the real world because now we are dealing with unsecure cyber-physical systems everywhere."

Supply chain also encompasses firmware, hardware, and GPS systems, she says, so it's not just a software problem. "The 'one-to-many' angle is out of the bag, but not just on the software front."

The 'Fix'
Tait said the only way to minimize these supply chain attacks is for software platform vendors to "fix the underlying technology." International or national governments can't solve the issue, he said. "Platform vendors have to step in."

For Windows, that means tightening up user privileges into one that developers use so if an app gets compromised, malware's impact is reduced.

Take mobile devices, which have been targeted with zero-day flaws of late, especially iOS. Third-party, legal scanning of mobile apps at scale should be available, he said. 

"We're only getting a tiny glimpse of what might be happening" on mobile devices right now, he warned, calling for the ability to install "security agents" on mobile and perform forensics on the devices. That's a missing link for spotting exploits on the devices, he said.

It's up to platform vendors to make these changes, Tait added. "Supply chains make massive exploitation by default and [make] ransomware mass destruction," he said.