Zero-day vulnerabilities have always had something of a special reputation in the cybersecurity space. These software bugs are exploited for attacks before the flaw is known to the software vendor and so before a patch is available. As a result, these security holes are theoretically far harder to defend against and are a more attractive prospect for threat actors. The exploits subsequently devised to take advantage can be a real headache for network defenders. The bad news is that such exploits are now at an all-time high, according to two new pieces of research.
This recent surge in volume might be because the industry is improving detection and disclosure of such attacks. But in any case, organizations need to get better at mitigating the threat from unknown vulnerabilities, especially as both state-backed operatives and financially motivated cybercriminals are increasing their activity.
A record year for what?
Google’s Project Zero team was created over eight years ago with the specific goal of finding and responsibly disclosing zero-day bugs to vendors. It has been prolifically successful in doing so, making any industry insight it can share of great interest. Its latest year in review report reveals that there were 58 “in-the-wild” zero-days tracked last year, more than double the previous maximum of 28 spotted in 2015, and far higher than the 25 detected in 2020.
However, not all is as it may first appear. According to Google security researcher Maddie Stone, it’s actually almost impossible to track the true figure for zero-day exploits, as the threat actors that use them are a highly secretive bunch, for obvious reasons. In fact, the record figure could be more precisely explained by better detection and disclosure of such exploits, she argued. Both the number of researchers working on finding and reporting zero-days, and the number of vendors detecting and disclosing zero-days in their products has increased. That’s a sign of some progress.
State actors drive the increase
Separate research from Mandiant sheds more light on the subject. It identified 80 zero-day vulnerabilities exploited in the wild last year, more than double the previous record of 32 back in 2019. Although the firm recognized that this could be due to more detections, it also argued the rise could be down to:
- The move toward cloud hosting, mobile, and Internet of Things (IoT) technologies, which increases the volume and complexity of internet-connected software and systems
- An expansion of the exploit broker marketplace, as more resources are shifted toward research and development of zero-days, both by private companies and threat groups
Microsoft, Apple and Google products accounted for three-quarters of those zero-day bugs found by Mandiant, with state groups led by China the “primary actors”. Among the most prolific of these exploits were those used to leverage four zero-days discovered in Microsoft Exchange Server (“ProxyLogon”) last March. This attack not only showed the speed with which groups are jumping on newly discovered bugs to exploit them before patches are released, it also proved that multiple actors including cybercrime groups are getting involved. ESET discovered various APT groups exploiting ProxyLogon on thousands of Exchange servers last year. There are even reports that some well-funded ransomware groups are considering hiring zero-day exploits for initial access.
The same old techniques
Somewhat surprisingly, despite the surge in zero-days, the attacks themselves are still using tried-and-tested techniques, according to Google’s Stone. She explained:
“The zero days we saw in 2021 generally followed the same bug patterns, attack surfaces, and exploit ‘shapes’ previously seen in public research. Once zero day is hard, we’d expect that to be successful, attackers would have to find new bug classes of vulnerabilities in new attack surfaces using never before seen exploitation methods. In general, that wasn't what the data showed us this year.”
In fact, of the 58 Google recorded, 67% were memory corruption vulnerabilities. These have been a popular feature of the threat landscape for the past few decades. Of these, most attackers apparently also stuck with the most popular and well-known bug classes: use-after-free; out-of-bounds read & write; buffer overflow; and integer overflow.
What does this mean for vulnerability management?
As Stone argued, the industry needs to get better at making zero-day exploits harder for threat actors to develop. That means patching properly and ensuring that when bugs are fixed, any similar avenues for attack across similar products are also blocked. That will force attackers to start from scratch when looking to find new zero-day bugs.
In the meantime, CISOs can invest in tools to help their detection of never-before-seen threats. Proactive cloud-based sandboxing, for example, provides an extra layer of defense outside an organization’s network and executes suspicious programs in a safe environment, where its code and behavior can be checked by machine learning algorithms, behavior-based detection, and other tools. Anything deemed to be a zero-day threat is blocked at this stage.
Remember the basics
It’s also worth remembering that, while important, zero-day exploits aren’t the only threat facing organizations. In fact, companies are statistically more likely to be hit by an exploit for a known vulnerability – possibly one dating back many years. As such, good cyber-hygiene remains critical to effective cyber-risk management. Consider:
- Continuous risk-based patching of known vulnerabilities
- Cybersecurity awareness training for all staff
- Supply chain security steps to ensure partners are thoroughly audited for cyber-hygiene
- Software supply chain checks to ensure open source components used to build internal software are free from vulnerabilities/malware
- Continuous configuration management to mitigate the risk of accidentally exposed systems
Effective cybersecurity means protecting the organization against both known and unknown vulnerabilities. The best way to do that is through layered defense, including updated policies and a focus on mitigating cyber-risk, wherever it is.