Alessandra Peters

20/08/2022

Zero-Day Vulnerabilities 2022: Getting Worse, but Mitigation Is Still Possible

In cybersecurity, what you don’t know is often what hurts you. Described as a “terrible year for cybersecurity,” it is no coincidence that 2021 also broke records for zero-day exploits. 

Mandiant discovered 80 zero-day vulnerabilities last year, nearly triple the record of 32 zero days in 2019. And Google’s Project Zero (GPZ), which hunts for zero-day security holes in major software products, found 58 in-the-wild zero days in 2021—the highest number since it started tracking vulnerabilities almost a decade ago in 2014. 

Not only are there more cybercriminals leveraging zero-day vulnerabilities, but these types of attacks are becoming less targeted. And with keeping up with patch programs a major problem for almost every company, threat actors are now using zero-day exploits to go after many organisations rather than just saving them for a select few. 

To combat the risk zero-day vulnerabilities pose, organisations need to augment patch management with solutions beyond traditional security platforms (i.e., antivirus software) that rely on rules and signatures to spot security threats. Instead, organisations need advanced threat detection, investigation, and remediation tools like SenseOn. A powerful solution for mitigating zero-day risk,  SenseOn uses behaviour analysis and machine learning to prevent attacks that no one has ever seen in the wild before.

What Is a Zero-Day Vulnerability?

A zero-day vulnerability is a security vulnerability/flaw in software, firmware, or hardware that has not been officially patched. It is called “zero-day” because developers/vendors have zero days to fix it before threat actors potentially exploit it in a cyber attack (i.e., “zero-day attack”).

Many organisations encourage researchers and independent white hat hackers to find vulnerabilities via bug bounty programs. However, black or grey markets for zero-day vulnerabilities are also gaining in popularity. Depending on what it allows threat actors to do, finding and selling a zero-day for sale could net hackers tens of thousands of pounds—often a lot more than they could get from a bug bounty program. 

Besides financial gain, some security researchers may also sell or share zero-day vulnerabilities with third parties like zero-day brokers (i.e., companies that buy and sell exploits) or malicious parties (i.e., threat actors) to hurt an organisation that owns/uses the vulnerable software. For example, last year, one researcher disclosed three iOS zero-day vulnerabilities, complete with a critique of Apple’s bug bounty program. Another made a macOS software vulnerability public on Twitter, even including instructions on how to exploit it. 

No Longer Just the Domain of Nation State Actors

While zero-day vulnerabilities are most often found and used by state-sponsored cyber criminals, research by Digital Shadows shows that zero-day sellers are increasingly holding their auctions on cybercriminal forums. This is because although zero days are still too expensive for most malicious actors, ransomware gangs like the Russia-linked REvil make millions in profit each year and can now compete with traditional zero-day buyers. 

Ivanti found that last year, ransomware groups leveraged a wider than ever range of zero-day flaws, exploiting vulnerabilities like the SonicWall (CVE-2021-20016), Apache Log4j (CVE-2021-44228), QNAP (CVE-2021-28799), and Kaseya (CVE-2021-30116), among others. Almost one in three actors Mandiant identified as using zero-days were financially motivated. 

In its report, Digital Shadows also noted threat actors discussing the “exploit-as-a-service” business model, where cybercriminals lease out zero days to others rather than using them themselves or selling them. This means that in the future, we can expect to see less sophisticated threat actors with fewer resources conducting attacks that leverage zero-day vulnerabilities. 

Poor Patching Is a Major Problem 

Even when patches to zero-day vulnerabilities become available, they don’t always protect vulnerable systems the way they should. 

Findings from GPZ reveal that out of 18 zero-day vulnerabilities used by hackers in the first six months of 2022 before a fix via a software update became available, half could have been avoided had software vendors performed more rigorous testing and created more comprehensive patches. Shockingly, at least four zero days this year were variants of 2021 zero-day threats. 

According to Maddie Stone of GPZ, the trouble is that while cybercriminals have many paths to gain access to a vulnerability, too often, vendors block only one path to it, usually the one that appears in the exploit code sample. As a result, zero-day variants of n-day vulnerabilities are becoming more common. In 2020, researchers found new zero-day vulnerabilities connected to Stuxnet, a computer worm that targeted Microsoft Windows machines and damaged Iran’s nuclear infrastructure in 2010.

“We’re not requiring attackers to come up with all new bug classes, develop brand new exploitation, look at code that has never been researched before. We’re allowing the reuse of lots of different vulnerabilities that we previously knew about,” said Stone at the security conference Enigma. Trend Micro’s vulnerability researcher John Simpson agreed, saying that some of the zero-days he has seen have been the result of a vendor fixing a vulnerability on one line of code but neglecting to do the same on “literally the next line of code.” 

Neutralising Threats Caused by Zero Days

It can take days, weeks, and sometimes even months for vendors and software developers to find the unpatched vulnerability that led to an attack and fix it, and a similarly long time for affected companies to implement patches. As a result, no firm should rely on other parties to quickly identify zero-day malware. Instead, every organisation should assume that there are vulnerabilities in their networks and systems and have tools in place to detect attacks attempting to exploit them. 

SenseOn’s automated threat detection, investigation, and response platform is one such tool. Unifying data from across an organisation’s infrastructure (endpoints, network, cloud, etc.) and blending multiple methods of detection (including rules and signatures, user and entity behaviour analytics, supervised and unsupervised machine learning, and deception techniques), SenseOn can monitor for TTPs and anomalies within a company’s estate to quickly and accurately detect potential new zero-day exploits. All without requiring prior knowledge of the threat.

Sign up to our newsletter

Join thousands of like-minded professionals who are already 
receiving our blog updates and best practice guides.