New research from cybersecurity firm Mandiant provides shocking statistics on the exploitation of vulnerabilities by attackers, based on an analysis of 138 different exploited vulnerabilities disclosed in 2023.
conclusion, Published on Google Cloud’s blogshows that vendors are increasingly being targeted by attackers who are steadily reducing the average time to exploit both zero-day and n-day vulnerabilities. However, not all vulnerabilities are of equal value to attackers, as their importance depends on the specific objectives of the attacker.
Exploitation time is decreasing significantly
Contents
Time-to-exploit is a metric that defines the average time it takes to exploit a vulnerability before or after a patch is released. Mandiant’s research indicates:
- From 2018 to 2019, TTE sat for 63 days.
- From 2020 to 2021, it fell to 44 days.
- From 2021 to 2022, the number of TTEs has further reduced to 32 days.
- In 2023, TTE sat for only 5 days.
SEE: How to Build an Effective Cybersecurity Awareness Program (TechRepublic Premium)
zero-day vs n-day
As TTE continues to shrink, attackers are increasingly exploiting both zero-day and N-day vulnerabilities.
A zero-day vulnerability is an exploit that has not been patched, often unknown to the vendor or the public. The N-day vulnerability is a known flaw that is used first when a patch becomes available. It is therefore possible for an attacker to exploit the N-day vulnerability unless it has been patched on the targeted system.
Mandiant highlights a ratio of N-days to zero-days of 30:70 in 2023, while in 2021-2022 the ratio was 38:62. Mandiant researchers Casey Charrier and Robert Weiner report that this change is likely due to an increase in zero-day exploit use and detection rather than a decline in n-day exploit use. It is also possible that threat actors had more successful attempts to exploit zero-days in 2023.
“While we have seen before and are expecting increasing zero-day exploitation over time, 2023 sees an even larger discrepancy between zero-day and N-day exploitation as zero-day exploitation surpasses N.” -The exploitation of the day has increased much more than us. Have seen before,” the researchers wrote.
N-Day vulnerabilities are mostly exploited in the first month after the patch
Mandiant reports that they saw 23 N-day vulnerabilities exploited in the first month after the release of their fixes, yet 5% of them were exploited within a day, 29% within a week, and More than half (56%) were exploited within a week. month. In total, 39 N-day vulnerabilities were exploited during the first six months after the release of their fixes.
More vendors targeted
It appears that attackers are adding more vendors to their target list, which has increased from 25 vendors in 2018 to 56 in 2023. This makes it more challenging for defenders, who try to defend a larger attacking surface each year.
Case studies underline severity of exploitation
Mandiant disclosed the matter CVE-2023-28121 Vulnerability in the WooCommerce Payments plugin for WordPress.
Revealed on March 23, 2023, it received no proof of concept or technical details until more than three months later, when a publication Showed how to use it to create an administrator user without prior authentication. A day later, the Metasploit module was released.
After a few days, one more Weaponized exploitation was issued. The first exploits began a day after the release of the modified weaponized exploit, with the exploit peaking two days later, reaching 1.3 million attacks in a single day. This case highlights “the increased motivation for a threat actor to exploit this vulnerability due to a functional, large-scale, and reliable exploit being made publicly available”, as Carrier and Weiner said. Was.
The case of CVE-2023-27997 is different. The vulnerability, known as XORtigate, affects the Secure Sockets Layer (SSL) / Virtual Private Network (VPN) component of Fortinet FortiOS. The vulnerability was disclosed on June 11, 2023, shortly before Fortinet released its official security advisory a day later.
The day after the disclosure, two blog posts containing PoCs were published, and a non-weaponized exploit was published on GitHub before being removed. While interest seemed obvious, the first exploitation occurred only four months after disclosure.
One of the most likely explanations for the variation in the observed timelines is differences in reliability and ease of exploitation between the two vulnerabilities. The WooCommerce Payments plugin for WordPress is easy to leverage, as it simply requires a specific HTTP header. The second is a heap-based buffer overflow vulnerability, which is much more difficult to exploit. This is especially true on systems that have many standard and non-standard protections, making it difficult to trigger a reliable exploit.
A motivating consideration, as highlighted by Mandiant, also lies in the intended use of the exploit.
“It would be logical to direct more energy toward the development of exploitable, more difficult, yet ‘more valuable’ vulnerabilities if this better aligns with their objectives, while easier-to-exploit and ‘less-valuable’ vulnerabilities remain the focus of more opportunistic adversaries. “It may offer greater value to humans,” the researchers wrote.
Deploying patches is no easy task
More than ever, depending on the risk associated with a vulnerability, it is imperative to deploy patches as quickly as possible to fix vulnerabilities.
“It’s one thing to patch 2-3 systems,” Fred Renal, chief executive of French offensive and defensive security company QuarkSlab, told TechRepublic. Patching 10,000 systems is not the same. It requires organization, people, time management. So even if a patch is available, it usually takes a few days to push the patch.
Renal said some systems take longer to patch. He took the example of mobile phone vulnerability patching: “When there is an improvement in the Android source code, Google has to implement it. Then SoC manufacturers (Qualcomm, MediaTek etc.) have to try it and implement it on their version. Then phone manufacturers (like Samsung, Xiaomi) have to port it to their own version. Then carriers sometimes customize the firmware before manufacturing it, which may not always use the latest versions from the source. So, here, the spread of a patch is… long. It’s not uncommon to find 6-month-old vulnerabilities in phones these days.”
Reynal also emphasizes that availability is an important factor in deploying patches: “Some systems may fail! Consider an oil platform or an energy producer: patching is fine, but what if the patch produces a failure. No more energy. So what’s the worst? An unpatched critical system or a city without energy? An unpatched critical system, it is about a potential threat. Cities without energy, this is about real issues.”
Finally, according to Renal, some systems are not patched at all: “In some areas, patching is prohibited. For example, many companies making health care devices prevent their users from installing patches. If they do, it voids the warranty.”
#Threat #actors #exploiting #vulnerabilities #faster