Researchers withholding vulnerabilities can create path to supply chain hacks

Ransomware attacks are infiltrating the supply chain, combining two of the most difficult compromises to prevent and recover from.

"One of the big problems that we have at the moment is the supply chain attacks really only just started," and the victims have been relatively smaller companies, Matt Tait, chief operating officer of Corellium, said during the Black Hat keynote Wednesday.

When companies think about how they could prevent a supply chain attack, there are "easy-sounding answers in this space, but all of them suck," Tait said. Companies can turn off updates or rethink how to work with managed service providers. But both options could make a company more at risk.

The real solutions to supply chain compromises are through platform vendors and automating trust between customers and vendors.

"Unless you trust the platform itself, then really you don't have any trust in any of the things that are running on that system," Tait said. Companies will always need to trust their platform vendors and the people with access to certain systems.

The attacks on SolarWinds, Microsoft Exchange, Colonial Pipeline, JBS and Kaseya each had a unique threat group behind the intrusions. Each group used different methods of entry, some were sophisticated while others used spray-and-pray techniques. One common trait behind the high profile incidents is the attacks featured zero days or supply chain compromises.

The Microsoft Exchange and Kaseya zero days were initially found by security researchers, which Tait argues is part of the overall issue. Security researchers found the vulnerabilities before the bad actors did in both supply chain hacks, he said. A security researcher informed Microsoft of the Exchange vulnerabilities as early as January, and after Kaseya was informed by DIVD of its vulnerabilities, its updates were interrupted by a ransomware group.

Uncovering zero days is beneficial for security practitioners to protect their organizations, but remediation is a race against fast-moving bad actors hunting for exploits. If a company is dedicated to security research, its data becomes a target. Bug bounty programs also attract threat actors looking for zero days.

"If you're a security researcher and you're building or finding zero days in the wild, and these zero days of high impact platform security … you are a target," said Tait. "Governments are interested in taking your zero days and you need to secure your systems and your vendor communications properly."

The issue with bug bounty programs, Tait said, is bounties will increase if a participant is able to create the whole zero-day chain, which turns vulnerabilities into working exploits. While this appears beneficial to the security community, by waiting until a chain is complete, "you create this perverse incentive for security researchers not to publish or not to report their vulnerabilities early. You're creating some weird incentives that maybe we should have to think about," Tait said.

Tait argues that if companies were more accepting of the components of an exploit, the company and its customers would be safer. "It also means that the security researcher doesn't have fully working zero day chains on their laptop that can get stolen," he said.