Black Hat 2021: Zero-days, Ransoms and Supply Chains


During Black Hat 2021, Corellium COO Matt Tait warned that the amount of zero-days exploited in the open is "off the charts." 

The primary concerns Tait highlighted during his Wednesday keynote were a significant rise in the number of zero-days identified and exploited in the wild, stolen zero-days, and supply chain assaults. 

He claims that all three are to blame for several big breaches in the last two years, including the Colonial Pipeline, Kaseya, SolarWinds, and Microsoft Exchange hacks. As per his keynote, the number of zero-days discovered and exploited in the wild has reached heights in the previous years. 

"This is both in the government sector, doing espionage, and in the financially motivated crimeware industry, ransomware. It's getting to the point now where it's beginning to overwhelm our ability to respond in the defensive sector," Tait stated during the keynote. 

He added attackers would most likely need a chain of flaws to attack a system and obtain access. To accomplish so, they'll need to create a complete zero-day chain 

"And these things are very expensive thanks to platform security investments. Every time an attacker has a full chain and wants to use it, that's a risk. The possibility that the zero-day chain or some aspects of that intrusion gets detected can be a very expensive cost for the attacker." 

Similarities in high-profile attacks

He added that top attacks like the one on the Colonial Pipeline at first sight, which caused gas shortages in some places, and the more recent NSO Pegasus campaign, which targeted 50,000 targets across a variety of mobile devices. At first glance, they all appear to be quite different however, a deeper examination indicates certain similarities. 

According to Tait, the attacks that resulted in physical, real-world problems were massive ransomware-based attacks. Furthermore, they all appear to be driven by supply chain compromises linked with large volume and often indiscriminate targeting. The usage of stolen days is the third and most prominent. 

He explained, North Korea, for instance, targeted security researchers to obtain access to specific studies. That research was used to enable some of these major operations, including the Microsoft Exchange email server attack, in which Chinese-nation state hackers exploited several zero-day vulnerabilities. 

"In both the Kaseya hack and exchange hacks, there's credible evidence that security researchers found these vulnerabilities, these exact vulnerabilities and written exploits for them and at some point between that and the patch being released, or shortly after, somehow these proof of concepts, these working exploits managed to get into the hands of these offensive actors who used them," Tait stated. 

"Governments are interested in taking your zero-days and your need to secure your systems and your vendor communications properly. In the event that you have these, do be careful what you publish. Of course, it's your exploits, do what you want with it -- but be aware that there are trade-offs associated with this." 

The reason is related to the lowest possible price. If a government can obtain a free zero-day, it affects the economics of utilizing it, according to Tait, because losing it costs nothing. Stolen zero-day does modify the economics of zero-day exploitation. 

The rising danger of supply chain attacks

Tait described supply chain assaults as a whole different type of cybercrime danger. The entire economics of mass exploitation, he explains, is turned upside down because of supply chain attacks. 

According to the security expert, bug bounty programs should be re-evaluated and ensure that vulnerabilities are revealed and patched as soon as possible to aid safeguard the software supply chain. 

According to Tait, researchers are now motivated to "sit on" high-impact vulnerabilities in the hopes of developing them into "full chain" attacks. While these chains provide the highest reward payouts, each day a zero-day stays unpatched is a possibility for another, possibly malicious third party to discover it. They utterly reshape the entire economics of mass exploitation, according to him. 

The time it takes for a supply chain assault to be discovered, according to Ryan Olson, vice president of threat intelligence at Palo Alto Networks' Unit 42 division, is the major issue. Companies might be hacked for months before they realize they've been hacked. It's especially terrible for smaller software companies without an IT department or a security operations center. 

Supply chain assaults, according to Tait, may be used for cyber espionage, such as in the instance of SolarWinds, when high-profile clients were harmed, as well as physical harm, such as ransomware. Tait concluded supply chain infections can only be fixed by platform vendors arguing that government intervention or regulation will do little to address the problem.