Zero-Day Attacks
In October 2024 Google Mandiant reported on 138 exploited vulnerabilities since 2023. They concluded there had been an increase in the number and speed of zero-day attacks. 70% (93) of these exploitations were zero-day; occurring before patches became available. Once an issue has been made public and a solution has become available it becomes known as an n-day vulnerability.
Despite the name few attacks actually occur on day zero of a software or patch release. A hacker needs time to analyse what has changed and to investigate vulnerabilities. There are cases such as the 2024 CloudStrike outage where a release causes immediate system failures without any outside intervention. There will be others where a patch has somehow removed protection from an existing exploit allowing attacks from existing malware.
A more common trend is the race between hackers and developers to find flaws and exploit or close them off. Many organisations pay a ‘bug bounty’ to those who find and report such flaws. If such incentives are not available or the coder has other motives then a crack can find its way into the criminal community. The exploit can be wrapped around more user friendly code so there is no need for high level computer programming skills for the perpetrator. An approach that allows access to be monetised and further spreads access to the attack medium.
Mandiant are seeing a reduced time to exploit as hackers become faster and more adept at taking advantage of these software flaws.
- 2018/2019; average time to exploit 63 days
- 2020; average time to exploit 44 days
- 2021/2022; average time to exploit 32 days
- 2023; average time to exploit 5 days
An authentication vulnerability affecting the WooCommerce Payments plugin for WordPress was disclosed on 23rd March 2023. Technical details followed on 3rd July, exploitation was first reported on 14th July (114 days) and peaked on 16th July with 1.3 million attacks.
In another example; XORtigate, is a heap-based buffer overflow in the Secure Sockets Layer (SSL)/virtual private network (VPN) component of Fortinet FortiOS. A flaw was disclosed on 11th June 2023 with exploitation being first recorded on 12th September (94 days).
The WooCommerce issue attracted significant activity because it is a relatively popular plug-in and provides the attacker with a wider spread of potential victims than the relatively specialised FortiOS product.
A more in depth example of how the rate of attack ramps up comes from the remote support solution ScreenConnect. The creators ConnectWise published details of security flaws in February 2024 together with a patch for affected systems. Attacks had begun on vulnerable systems within 1 day of the ConnectWise announcement.
There is no specific defence against zero-day attacks or where patching cannot be immediately implemented. Good cyber security needs to assume that there will be unknown threats and endeavour to protect against them.
- Look at system logs and network traffic for unusual activity.
- Audit accounts and levels of privilege; especially newly created or elevated examples.
- Use Attack Surface Management techniques to analyse a network from the perspective of a potential attacker.