Researchers unwittingly assist in cybercrime

Matt Tait, COO of Correlium, said the marketing practices of the security research industry enable cybercrime worldwide at his keynote at Black Hat Conference 2021. Considering that the conference is dedicated specifically to that industry, it was bold.

His keynote focused on supply chain attacks and described the profitability and ease of ransomware subscriptions. At the same time, he showed how hard it is to create malware and find targets. His bombshell was dropped almost as an aside as he explained how security researchers make the development process easier.

Simply put, he said when researchers find vulnerabilities they send them to vulnerable companies hoping for a contract. It is a marketing practice.

Tait claimed researchers make contact with potential clients through unencrypted communications and unsecured channels. Criminals surveilling researchers steal these findings and post them on the dark web where they are used to design attacks before the victims can mount a defense, the classic definition of a zero-day attack.

“Stolen zero-day is a component of several high-profile stories,” he stated. “If you are building or finding in-the-wild, high impact zero-day attacks, you (the researcher) are a target for criminals.”

Marketing practice concerns

Cyber Protection Magazine has been concerned about research marketing for a while. We receive multiple emails each month about arcane vulnerabilities that are beyond the capabilities of most criminal organizations. The news is released after the potential victims did not offer a contract. The announcement increases name recognition for the organization, shames victims into making a deal, and raises concern among the customers about the products. Tait’s revelation indicates that they also serve as a trail of breadcrumbs for cybercriminals to target the researchers, steal their findings and reduce the overall cost of developing an attack.

The general news media is often complicit. The reports alert criminals to security holes before they are closed.

Tait pointed out that mass zero-day exploits are technologically difficult, labor-intensive, costly, and fraught with danger, but are still highly profitable if the criminals can identify multiple vulnerabilities along the supply chain.

“Every time an actor wants to use it on an observable platform, there’s a risk for that threat actor, and that the possibility that zero-day chain or some aspects of that intrusion gets detected,” he explained. Once the exploit is launched it is relatively easy to identify the intrusion and close the hole. However, that changes when the attacker focuses on mobile devices.

Mobile devices targeted

“On mobile devices,” Tait said, “there’s been some really high volume exploitation. In-the-wild, zero-day exploits against mobile devices is up dramatically. He claimed there is less observability on mobile devices in a network. We’re only really getting a tiny glimpse of what actually might be happening out there in the world.”

He offered specific guidance for research companies and their marketing targets. First, the researchers need to up their game in securing their communications, Second, they need to limit what they say. Exposing a point-and-click, or even a zero-click exploit can be disastrous if the findings fall into the hands of criminals.

But their customers have to change the way they accept the “cold calls” from researchers. Most companies only accept complete reports thinking it easier to control access. In fact, Tait said accepting partial findings slows attacks, making criminals search multiple sites for the entire exploit. “A steeper update curve increase risk for risk-averse attackers, which makes the vendors’ customers safer.”

More importantly, Tait said, is that we cannot expect governments to come to the rescue with legislation and bureaucracy. Only the platform vendors can do it. Whether they are willing to do so is another question.