The number of zero days being exploited in the wild is “off the charts,” Corellium COO Matt Tait warned during Black Hat 2021.
A massive increase in the number of zero days being detected and exploited in the wild, stolen zero days and supply chain attacks were the main threats Tait addressed during his Wednesday keynote. All three are responsible for several of the major breaches over the past two years, he said, including the Colonial Pipeline, Kaseya, SolarWinds and Microsoft Exchange attacks.
According to his keynote, the number of zero days being detected and exploited in the wild is the highest it has been in eight years. Tait attributed the tremendous increase to the offense taking off the gloves.
“This is both in the government sector, doing espionage, and in the financially motivated crimeware industry, ransomware. It’s getting to the point now where it’s beginning to overwhelm our ability to respond in the defensive sector,” Tait said during the keynote.
While not much has changed over the years to cause such a significant uptick, there are factors that affect the minimum cost.
For adversaries to attack a system and gain entry, Tait said they will probably need a chain of vulnerabilities. To do that, they will need to build a full zero-day chain. “And these things are very expensive thanks to platform security investments. Every time an attacker has a full chain and wants to use it, that’s a risk. The possibility that the zero-day chain or some aspects of that intrusion gets detected can be a very expensive cost for the attacker.”
High-profile attacks share commonalities
While examining top attacks like the one on the Colonial Pipeline, which caused gas shortages in some areas and the more recent NSO Pegasus project, which claimed 50,000 targets across a wide range of mobile devices, Tait said at first glance they appear to be very different. However, a closer look reveals commonalities.
The intrusions that caused physical, real-world challenges were overwhelming ransomware-based attacks, Tait said. Additionally, they all appear to be driven by supply chain compromises, which have high volume and usually indiscriminate targeting associated with them. The third and most notable is the use of stolen days. An example he provided was North Korea targeting security researchers, which was done to gain access to certain research. That research was used to enable some of these massive attacks, including the Microsoft Exchange email server attack where Chinese-nation state actors took advantage of multiple zero days, which had previously been disclosed by Microsoft.
“In both the Kaseya hack and exchange hacks, there’s credible evidence that security researchers found these vulnerabilities, these exact vulnerabilities and written exploits for them and at some point between that and the patch being released, or shortly after, somehow these proof of concepts, these working exploits managed to get into the hands of these offensive actors who used them,” Tait said.
Tait warned security researchers who are building or finding zero days in the wild that they are a target — particularly if the zero days are high-impact platform security. “Governments are interested in taking your zero days and your need to secure your systems and your vendor communications properly. In the event that you have these, do be careful what you publish,” he said. “Of course, it’s your exploits, do what you want with it — but be aware that there are trade-offs associated with this.”
The reason leads back to the minimum cost. If a government can gain access to a free zero-day, it changes their economic assessment of using it — and Tait said it costs nothing to lose it. “Stolen zero-day does change the economics of zero-day exploitation.”
Increasing danger of supply chain attacks
Another threat that greatly affects cybercrime finance is supply chain attacks, which Tait referred to as completely different. According to him, they completely upend the entire economics of mass exploitation.
Boris Larin, a senior security researcher at Kaspersky, told SearchSecurity that supply chain attacks are the most dangerous types of attacks, and there is no perfect solution against them. Larin said he expects such attacks to remain popular and likely increase. One reason being is that actors can remain undetected for long periods of time. According to Larin, if a compromised application isn’t behaving suspiciously and it’s only performing actions on a small number of targeted machines, then the supply chain attack becomes difficult to detect.
Ryan Olson, vice president of threat intelligence for Palo Alto Networks’ Unit 42 group, told SearchSecurity that the biggest concern of a supply chain attack is the amount of time before it’s detected. Companies could be compromised for months before realizing there’s been a breach. It’s particularly bad for smaller software vendors, who don’t have an IT team or security operations center.
“Because of that, there’s this trust that you have to have with the people who are supplying software to you or supply services, but the level of validation that’s required to ensure that they’re doing everything perfectly is way too high to be reasonable when you have hundreds or thousands of vendors, which a lot of companies do,” Olson said. “This is a situation which is way too easy for attackers to exploit.”
According to Tait, supply chain attacks make massive exploitation a default. They can be used for cyber espionage — as in the case of SolarWinds, where high-profile customers were affected — as well as physical damage, in terms of ransomware. On top of it, target selection is easy, he said, as it’s all customers. The solution, however, is not as straightforward.
“Supply chain infections can only be fixed by platform vendors; the government is not coming to save you,” Tait said.