Cyber attacks exploiting zero-day vulnerabilities have historically been something of a worst-case scenario — a surprise attack that cannot be readily predicted. But while zero days used to be fairly rare, they are now becoming increasingly prevalent.
In two of the last three years, more of the mass compromise events Rapid7 analyzed arose from zero-day vulnerabilities than from new n-day exploits. And over the past year, major incidents involving vulnerabilities in Progress MOVEit Transfer, Barracuda ESG, Ivanti Connect Secure, and Fortra GoAnywhere MFT have underscored this trend.
As the scope of zero-day attacks grows, organizations must quickly familiarize themselves with the greatest threats and ensure they have proactive controls in place to mitigate risk.
Director of Vulnerability Intelligence at Rapid7.
Trends behind the rise in zero day exploits
Zero-day attacks can lead to severe consequences, including system compromises, network downtime, and substantial financial losses. However, the expertise and resources required have previously limited their use.
Discovering a new exploit requires research time and technical skill, making them the providence of more well-resourced threat groups either able to uncover the vulnerability or purchase exclusive exploits from brokers on the dark web.
But now we are seeing a distinct shift to zero days being deployed in widespread attacks — incidents where previously unknown vulnerabilities are exploited by a single skilled adversary hitting a large vulnerable target population with an orchestrated, timed attack.
Our research found that in 2023, more than half (53%) of the new widespread threat vulnerabilities were exploited as zero days, marking an increase from the previous year and a return to the high levels of zero-day exploitation seen in 2021.
Several factors are contributing to this rise. Because zero days can enable threat actors to pull off hugely profitable attacks, some threat groups are willing to pay vast sums to get their hands on new discoveries.
Rapid7 researchers have seen exploits for common enterprise tools like VPNs offered for $100K or more each on dark web forums, a powerful incentive for well-resourced cybercriminal gangs looking to increase their profits. With established threat groups taking in eight figures for large, global attack campaigns, it’s plausible that they may be able to comfortably afford the investment, bolstering a thriving underground economy.
Additionally, many of these vulnerabilities arise from simpler, easily exploitable root causes, such as command injection and improper authentication issues. These are often quicker and easier for attackers to exploit compared to more complex vulnerabilities like memory corruption flaws.
For example, vulnerabilities in Barracuda ESG and Fortra GoAnywhere MFT arose from command injection issues. Similarly, improper authentication issues have been central to many attacks on network edge devices.
Why network edge devices are at high risk
In tandem with the growing volume of CVEs and zero-day exploitation, cybercriminals have increasingly exploited network edge devices like routers, firewalls, VPNs, security gateways, and network appliances.
Edge devices present attractive targets due to their critical role in managing data flow and access. Once compromised, attackers can gain a foothold within the network, potentially allowing them to move laterally and escalate their privileges. But while they have always been a popular target, we are now seeing evidence that edge devices are increasingly being targeted en masse, with exploits that affect hundreds of organizations at a time.
Our research found that mass compromise events stemming from the exploitation of network edge devices have almost doubled since the start of 2023, with state-sponsored adversaries and ransomware groups alike racing to weaponize both new and known flaws in these technologies. High-profile ransomware groups like Cl0p, Akira, LockBit, and more have leveraged network edge device vulnerabilities in recent attacks.
Notably, 36% of widely exploited vulnerabilities occurred in network perimeter technologies. Over the last three years, more than 60% of network edge vulnerabilities have also been exploited as zero days, highlighting the value these devices offer threat groups looking to infiltrate networks in order to achieve their objectives.
Incidents involving vulnerabilities in network edge technologies, such as Citrix NetScaler ADC/Gateway, and Cisco ASA, have had significant impacts, leading to widespread compromises and service disruptions. For example, the zero-day exploitation of Barracuda Networks’s Email Security Gateway (ESG) eventually drove the company to recommend that users completely decommission some physical devices.
Proactive steps to prepare for the threat
The growing prevalence of zero-day exploits is a trend no company can ignore. Fortunately, there are multiple steps organizations can take to improve their resilience against these threats when they appear. The tried-and-true layered security strategy is key to mitigating risk. However, the growing prevalence of zero-day attacks means organizations must implement any missing controls urgently.
Frequent security assessments are important here, as they will enable security teams to build an accurate picture of what systems are most at risk. While it is not always possible to predict when a new exploit will appear, a solid understanding of the network will allow teams to understand the risks and best course of action for response.
Alongside this, regular patching and robust vulnerability management are essential. Closing off new exploit paths as soon as fixes are available will shrink the opportunity for a potential attack. Addressing other known vulnerabilities in the system will also mean fewer options are available for attackers. Patching activity should also prioritize high-value systems like network edge devices and file transfer solutions, which are prime targets for exploitation.
Finally, organizations must also be ready to act quickly when an attack does occur. Security teams can still be equipped to rapidly respond to a new attack, even if the individual exploit is initially unknown. Advanced threat detection tools, along with robust logging and monitoring capabilities, are critical for detecting indicators of compromise and attacker follow-on behavior.
The importance of MFA
Along with other proactive measures, multi-factor authentication (MFA) plays a crucial role in securing networks by adding an extra layer of protection beyond passwords. While zero-day attacks will incorporate novel exploits, many threat actors still rely on standard methods like stolen or reused credentials to execute their attacks.
Implementing MFA can contribute to security defences by reducing the risk of unauthorised access, as attackers need more than just a stolen password to breach systems. For internet-facing systems, properly implemented and enforced MFA ensures that even if credentials are compromised, additional authentication steps may be able to prevent immediate access to critical systems.
It’s not only important to have MFA implemented throughout the organization, that implementation must also be properly enforced. Sadly, 41% of incidents Rapid7 services teams responded to in 2023 were due to missing or unenforced MFA on internet-facing systems, especially on VPNs and virtual desktop infrastructure. For example, an organization may have MFA in place, but sometimes a large group of employees is placed in an MFA bypass group for convenience. So, while on paper the whole company is protected by MFA, in practice the policy is unlikely to be effective.
Remaining resilient in the zero-day surge
Zero-day vulnerabilities pose an escalating threat, and organizations must urgently adopt layered security measures to defend against the attack. There is no time to waste.
While there are multiple routes to improving resilience against zero days, making security changes can often be a painfully slow process, especially when it comes to organization-wide policies like MFA.
Further, attempting to do everything at once can often lead to limited impact — if everything is a priority, then nothing is. Security decision makers must be sure of their priorities, focusing on the issues that will have the biggest impact on resilience.
We've featured the best online cybersecurity course.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
