Zero-Day Attacks

In October 2024 Google Mandiant reported on 138 exploited vulnerabilities since 2023.  They concluded there had been an increase in the number and speed of zero-day attacks.  70% (93) of these exploitations were zero-day; occurring before patches became available. Once an issue has been made public and a solution has become available it becomes known as an n-day vulnerability.

Despite the name few attacks actually occur on day zero of a software or patch release.  A hacker needs time to analyse what has changed and to investigate vulnerabilities.  There are cases such as the 2024 CloudStrike outage where a release causes immediate system failures without any outside intervention.  There will be others where a patch has somehow removed protection from an existing exploit allowing attacks from existing malware.

A more common trend is the race between hackers and developers to find flaws and exploit or close them off.  Many organisations pay a ‘bug bounty’ to those who find and report such flaws.  If such incentives are not available or the coder has other motives then a crack can find its way into the criminal community.  The exploit can be wrapped around more user friendly code so there is no need for high level computer programming skills for the perpetrator.  An approach that allows access to be monetised and further spreads access to the attack medium.

Mandiant are seeing a reduced time to exploit as hackers become faster and more adept at taking advantage of these software flaws.

  • 2018/2019; average time to exploit 63 days
  • 2020; average time to exploit 44 days
  • 2021/2022; average time to exploit 32 days
  • 2023; average time to exploit 5 days

An authentication vulnerability affecting the WooCommerce Payments plugin for WordPress  was disclosed on 23rd March 2023.  Technical details followed on 3rd July, exploitation was first reported on 14th July (114 days) and peaked on 16th July with 1.3 million attacks.

In another example; XORtigate, is a heap-based buffer overflow in the Secure Sockets Layer (SSL)/virtual private network (VPN) component of Fortinet FortiOS.  A flaw was disclosed on 11th June 2023 with exploitation being first recorded on 12th September (94 days).

The WooCommerce issue attracted significant activity because it is a relatively popular plug-in and provides the attacker with a wider spread of potential victims than the relatively specialised FortiOS product.

A more in depth example of how the rate of attack ramps up comes from the remote support solution ScreenConnect.  The creators ConnectWise published details of security flaws in February 2024 together with a patch for affected systems.  Attacks had begun on vulnerable systems within 1 day of the ConnectWise announcement.

There is no specific defence against zero-day attacks or where patching cannot be immediately implemented.  Good cyber security needs to assume that there will be unknown threats and endeavour to protect against them.

  • Look at system logs and network traffic for unusual activity.
  • Audit accounts and levels of privilege; especially newly created or elevated examples.
  • Use Attack Surface Management techniques to analyse a network from the perspective of a potential attacker.

More from Security

04/11/2024

UK Data (Use and Access) Bill

The Data (Use and Access) Bill had its first reading in the Lords on 23 October 2024.  This step is merely a formal introduction …

Read post

14/10/2024

SSL Certificate Renewal

SSL/TLS authentication is part of the encryption suite to ensure that a requester is who they say they are and to grant or refuse …

Read post

30/09/2024

The SPAM Bomb

The symptoms of a SPAM, email or subscription bomb attack are almost impossible to miss.  The victim will suddenly receive a very large volume …

Read post

23/09/2024

OFCOM vs Scam Callers

OFCOM is the UK regulator of phone and Internet services.  They are responsible for ensuring these services are safe and effective.  Part of their …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus

    Categories