Credit: Gerd Altmann
Deploying security patches as quickly as possible remains one of the best ways to prevent most security breaches, as attackers usually rely on exploits for publicly known vulnerabilities that have a patch available -- the so-called n-day exploits.
But mitigating the risk from vulnerabilities unknown to the affected software developers and don't have a patch available -- the zero-day flaws -- requires a careful analysis of the types of actors exploiting them, the geography and industries they target, the malware payloads they deploy, the tactics they use, and the type of products they usually target.
According to an analysis by Google-owned threat intelligence and incident response firm Mandiant, attackers exploited 55 zero-day flaws last year, fewer than the 81 observed in 2021 but triple the number tracked in 2020 and higher than in any previous years.
In fact, 2020 was an outlier because security vendors saw their normal workflows disrupted by the COVID pandemic that year, possibly impacting their ability to discover and track zero-day attacks.
"We anticipate that the longer term trendline for zero-day exploitation will continue to rise, with some fluctuation from year to year," the Mandiant researchers said.
"Attackers seek stealth and ease of exploitation, both of which zero-days can provide. While the discovery of zero-day vulnerabilities is a resource-intensive endeavor and successful exploitation is not guaranteed, the total number of vulnerabilities disclosed and exploited has continued to grow, the types of targeted software, including Internet of Things (IoT) devices and cloud solutions, continue to evolve, and the variety of actors exploiting them has expanded."
From APTs to ransomware operators
Zero-day exploits have historically been a resource employed primarily by well-funded cyberespionage groups and commercial spyware vendors that sell their so-called surveillance software to government agencies. That's because zero-day exploits are an expensive commodity with a short shelf-life.
Once they're detected in the wild, they're quickly patched. This means to get the most out of them, threat groups use them in very targeted campaigns against a small number of high value targets.
Developing exploits that work reliably across different versions of a product and different configurations is not an easy task.
Doing so for a vulnerability that wasn't previously known is even a bigger challenge and requires access to skilled bug hunters and exploit writers. Since not everyone can afford to do this in house, such exploits can fetch hundreds of thousands or even millions of dollars on the black market, putting them out of reach for the average cybercriminals.
Out of the 55 zero-day exploits observed in 2022, Mandiant managed to reliably determine motivation and attribution for 16 of them.
It's no surprise that 80% of those (13 flaws) were used in cyberespionage attacks, but the surprise is that a quarter were used in financially motivated attacks, mainly to deploy ransomware. This highlights a trend of cybercriminals also leveraging zero-day exploits, especially for operations with a high return on investment. One flaw was leveraged in both cyberespionage and financially motivated attacks, so there was some overlap.
Out of the 13 flaws used for cyberespionage, seven were used by Chinese threat actors, two by Russian groups, and two by North Korean hackers.
Follina, a remote code execution vulnerability in the Microsoft Support Diagnostic Tool (MSDT) that was exploited through Word documents, was employed by both Chinese and Russian threat actors. Three flaws were used in attacks where the motivation was cyberespionage, but the geography of the attackers was not determined.
"Three campaigns in 2022 were particularly notable due to the involvement of multiple groups, expansive targeting, and focus on enterprise networking and security devices: multiple groups exploiting CVE-2022-30190 (aka Follina) in early 2022, and the 2022 exploitation of FortiOS vulnerabilities CVE-2022-42475 and CVE-2022-41328," the Mandiant researchers said.
Chinese actors interested in network security appliances
By looking at the Chinese zero-day exploit activity, Mandiant observed a pattern of exploiting internet-facing devices, especially those used for managed security purposes such as firewall, VPN, and IPS/IDS appliances. In October, a Chinese state-sponsored threat actor exploited CVE-2022-42475, a vulnerability in Fortinet's FortiOS SSL-VPN service.
Not only did the attackers exploit a vulnerability in this appliance, but they deployed an implant specifically crafted for it, showing in-depth knowledge of undocumented and proprietary formats and systems used inside the OS.
This suggests a significant research effort was put toward understanding the devices. This interest is further supported by the attacks in mid-2022 by another Chinese cyberespionage tracked as UNC3886 that targeted a zero-day vulnerability in FortiOS (CVE-2022-41328) to write files to FortiGate firewall disks.
Another observation is that Chinese cyberespionage actors share exploits, something that security researchers have noted for a long time but is continuously confirmed. For example, exploitation of the Follina vulnerability before it was patched was observed by three separate Chinese groups targeting organisations in three distinct regions of the world.
"Mandiant noted previous waves of the progressive adoption of the same exploit among Chinese espionage groups prior to the release of a public patch (e.g., the widespread "ProxyLogon" campaign in early 2021), which potentially indicates the existence of a shared development and logistics infrastructure and possibly a centralised coordinating entity," the Mandian researchers said.
"Mandiant research dating back to 2013 has likewise suggested a logistical support function or quartermaster supporting Chinese cyber espionage groups."
Decreased zero-day activity from Russia and North Korea
Russian threat actors have always demonstrated their ability to find and exploit zero-day vulnerabilities, but Mandiant believes last year they were probably more careful with their employment of such valuable commodities given the increased monitoring of Russian activity in cyberspace due to the war in Ukraine.
APT28, also known as Fancy Bear, a group that's believed to be part of GRU, Russia's military intelligence agency, exploited the Follina vulnerability before it was patched, but this might have been opportunistic, taking advantage of the gap between when the flaw was publicly revealed and when it was patched by Microsoft.
However, the same group did employ a different zero-day exploit for a critical vulnerability (CVE-2023-23397) in Microsoft Outlook that Microsoft finally patched this month. This exploitation activity flew under the radar for a long time, between April and December 2022, and targeted organisations from the government, military, and energy sectors.
In early 2022, North Korean government-backed threat actors exploited a zero-day vulnerability in Google Chrome (CVE-2022-0609) to target US organisations from the media, high-tech and financial sectors. Google tracked this activity as Operation Dream Job and Operation AppleJeus.
In November, another North Korean threat group, likely APT37, exploited a zero-day vulnerability in Windows Server (CVE-2022-41128) in attacks against organisations from the high-tech sector in South Korea.
Commercial spyware vendors continue their exploit activities
Candiru, an Israel-based spyware vendor, had its commercial cyberespionage software deployed using a zero-day vulnerability in Google Chrome (CVE-2022-2294) in 2022. Based on reports, the exploit was launched from a compromised website used by employees of a news agency in the Middle East.
Separately, two European spyware vendors, Variston and DSIRF, had their software deployed using two zero-days: one in Mozilla Firefox (CVE-2022-26485) and one in Microsoft Windows Server (CVE-2022-22047). The later was used in cyberespionage attacks against law firms, banks and strategic consultancies in Austria, the United Kingdom and Panama.
Zero-day use by ransomware and financially motivated attackers decrease
Mandiant attributed four zero-day exploits to financially motivated groups last year, which is lower than in 2021. And while 2021 was the year with the highest number of zero-day exploits recorded in general, which might skew the statistics, there were events in 2022 that could explain a decrease in zero-day use by cybercriminals.
"Some of the most prolific ransomware groups that exploited zero-days in previous years had operators based in Russia or Ukraine, and Russia’s invasion of Ukraine in February 2022 may have disrupted this criminal ecosystem and contributed to a decline in zero-day use," the Mandiant researchers said. "The overall decline in ransomware payments in 2022 may have also reduced the capacity of operators to acquire or develop zero-days."
That said, the threat actor tracked as UNC2633 that distributes the Qakbot malware did not miss the opportunity to jump on the Follina train and exploit that publicly disclosed vulnerability before Microsoft had a chance to patch it. UNC2633 typically distributes its malware through emails with malicious attachments or links that lead to malware payloads.
As far as ransomware operations go, the group behind the Lorenz ransomware exploited a zero-day vulnerability in Mitel's MiVoice Connect VOIP appliance (CVE-2022-29499) while the group behind the Magniber ransomware exploited two zero-day vulnerabilities in the Mark of the Web (MoTW) feature in Microsoft Windows 11 (CVE-2022-41091 and CVE-2022-44698). Since then, the group exploited a third MoTW vulnerability to impact the ability of Windows SmartScreen to detect malicious files downloaded from the internet (CVE-2023-24880).
IT management products are a new target
The majority of the zero-day flaws seen last year impacted operating systems and browsers, which is not a surprise as these are traditional targets for attackers. Microsoft was the most impacted vendor with 18 vulnerabilities, 15 of which were in Windows.
Chrome came in second with ten vulnerabilities, nine of which were in Chrome and one in Android. Apple sits in third place with nine vulnerabilities, four of which were in macOS and five in iOS. Mozilla Firefox had two vulnerabilities as well.
The surprise are the ten zero-day vulnerabilities exploited by attackers in a variety of IT, security and network management devices and software products.
Impacted vendors include Fortinet, Sophos, Trend Micro, Zimbra, Adobe, Atlassian, Cisco, Mitel, SolarWinds, Zoho, QNAP, and Citrix. Many of these devices or products sit at the network's edge, which makes them an easy target for attackers. Furthermore, they are often not covered by any malware detection solution and don't offer an easy way for administrators to monitor their running processes.
By compromising such devices, attackers often gain a stealthy foothold inside a network from which they can perform lateral movement activities to compromise additional systems and from where they can easily tunnel data and commands in and out of networks.
Between 2021 and 2022, almost one in three zero-day exploits targeted vulnerabilities in products from vendors other than Microsoft, Apple, and Google. This means organisations need to make sure they have detection and monitoring capabilities in place for all products and devices in their technology stacks, including those that haven't traditionally been targeted.
"As the vendors and products targeted by zero-days continue to diversify, organisations must efficiently and effectively prioritise patching to their specific circumstances to sufficiently mitigate risk," the Mandiant researchers said.
"In addition to risk ratings, we suggest that organisations should analyse the following: types of actors targeting their specific geography or industry, common malware, frequent tactics, techniques, and procedures of malicious actors, and products used by an organisation that provide the largest attack surfaces, all of which can inform resource allocation to mitigate risk."
