Zero-day attacks climb as hackers get more sophisticated
Article by Rapid7 vulnerability research and security response leader Caitlin Condon.
Hackers are moving fast to exploit security vulnerabilities. There was a surge in widespread zero-day attacks last year, with the average time to exploitation down from 42 days in 2020 to just 12 days in 2021.
This ‘Time to Known Exploitation’ (TTKE) represented a 71% decrease from the previous year, largely due to the heightened volume of zero-day attacks, many of which were eventually used by ransomware gangs.
With ongoing geopolitical uncertainties and the threat on nations opposing Russia’s war in Ukraine, governments are urging organisations to strengthen their cyber defences to counter the increased potential threat of state-sponsored cyber-attacks. This is just one more reason why it is important that security and risk teams have a clear view of the broad range of critical vulnerabilities and threats they face, with particular emphasis on technologies they know are central to their business operations.
In our 2021 Vulnerability Intelligence Report, we presented a thorough assessment of last year’s attack landscape, with an expert analysis of attack vectors and exploitation trends from what was a truly harrowing year for risk management teams around the world.
Not only were governments and organisations grappling with the COVID-19 pandemic, but security teams faced a rapid rise in attack complexity and scale. Widespread attacks leveraging vulnerabilities in commonly deployed software were endemic, ransomware risk continued to rise, and zero-day exploitation reached what was considered to be an all-time high. The report detailed 50 notable vulnerabilities, of which 43 were exploited in the wild, and it highlighted several non-CVE-based attacks, including significant supply chain security incidents.
Many of 2021’s critical vulnerabilities were exploited quickly and at scale, dwarfing attacks from previous years and giving businesses little time to shore up defences in the face of rapidly rising risk. On any given day, security professionals found themselves needing to prioritise and address viable threats from an overwhelming number of reported vulnerabilities.
Six months into 2022, we continue to see widespread attacks that are following a similar pattern to the widely exploited security flaws we saw in previous years, and which increased by a whopping 136% in 2021.
With attacker economies of scale like ransomware and coin mining operations continuing to mature, it’s likely that widespread attacks will remain the norm. In addition, the commonality of zero-day attacks continues to be a trend, putting further pressure on organisations’ security teams.
Last year, 52% of widespread threats began with a zero-day exploit. These vulnerabilities were discovered and weaponised by adversaries before vendors were able to patch them. A much higher proportion of zero-day attacks are now threatening many organisations from the outset instead of being used in more targeted operations.
This year, we have witnessed several high-profile attacks against common enterprise applications that sit in critical places in organisations’ networks, such as access and network management software. We have also seen a long tail of exploitation from Log4Shell — highlighting our reliance on open-source libraries and shared components — which can be tough to detect and deeply embedded in technology stacks.
Naturally, security teams are paying more attention to these threats, but we urge organisations not to lose sight of vulnerabilities that arise in exposed and critical technologies, particularly those that sit at the edge of networks or govern internal network infrastructure. Flaws in firewalls, VPNs, internet-facing portals, and DevOps systems continue to be targets for both advanced and low-skilled adversaries, regardless of any specific geopolitical threats. These known vulnerabilities can be unwittingly exposed and continue to be ‘an easy way in’ for bad actors. In addition, our intelligence indicates that these types of vulnerabilities are getting attacked regularly; therefore, organisations need to continue to pay attention to them.
The first half of 2022 has so far followed expected patterns of exploitation, with few surprises.
But for any team tasked with risk management, no matter whether it is vulnerability risk management or something else, we see the layering of these different challenges putting pressure on both resources and time.
And whilst the current environment may seem foreboding, there is positive news. First, the security industry is better able to detect and analyse zero-day attacks, which has helped improve commercial security solutions and open-source rule sets. Second, while we would never call the rise of ransomware a positive thing, the universality of the threat has spurred more public-private cooperation and driven new recommendations for preventing and recovering from ransomware attacks.
Furthermore, research-driven context on vulnerabilities and emergent threats is critical to building forward-looking security programs. In line with that, organisations of all sizes can implement battle-tested tactics to minimise easy opportunities for attackers and shore up defences.
As we look ahead, security teams should expect further zero-day attacks and widespread exploitation. Whilst many organisations are a lot better at detecting these attacks, it is important to avoid complacency.
As long as there is an attack surface area available to them, attackers will continue to look for opportunities to profit or gain key access to corporate networks. The probability of an attack for an average business has increased, so organisations as a whole — not just information security teams but executive and board-level stakeholders, too — must work together to evolve their approaches to risk management.