Businesses must act now to address the zero-day spike
Cyberattacks that exploit zero-day vulnerabilities have historically been a worst-case scenario: a surprise attack that can’t be predicted. But while zero-days used to be relatively rare, they are now becoming more common.
In two of the last three years, more mass compromise events analyzed by Rapid7 came from zero-day vulnerabilities than from new n-day exploits. And in the past year, major incidents involving vulnerabilities in Progress MOVEit Transfer, Barracuda ESG, Ivanti Connect Secure, and Fortra GoAnywhere MFT have underscored this trend.
As the scale of zero-day attacks increases, organizations must quickly familiarize themselves with the biggest threats and ensure they are taking proactive steps to mitigate risk.
Director of Vulnerability Intelligence at Rapid7.
Trends Behind the Rise of Zero-Day Exploits
Zero-day attacks can have serious consequences, including system compromise, network outages, and significant financial losses. However, the expertise and resources required have previously limited their use.
Discovering a new exploit requires research time and technical skills, which allows cybercriminals to be better equipped to discover the vulnerability or purchase exclusive exploits through dark web intermediaries.
But now we are seeing a clear shift toward zero days in widespread attacks — incidents where previously unknown vulnerabilities are exploited by a single skilled adversary who targets a large vulnerable population with an orchestrated, timed attack.
Our research shows that in 2023, more than half (53%) of new widespread vulnerabilities in threat actors were exploited as zero-days. This is an increase from the previous year and a return to the high levels of zero-day exploitation we saw in 2021.
Several factors are contributing to this increase. Because zero days allow threat actors to launch hugely profitable attacks, some threat groups are willing to pay huge sums of money to get their hands on new discoveries.
Rapid7 researchers have seen exploits for common business tools like VPNs being offered for $100,000 or more apiece on dark web forums, a powerful incentive for well-funded cybercriminal gangs looking to increase their profits. With established threat groups raking in eight figures for large, global attack campaigns, it’s likely they can easily afford the investment, fueling a thriving underground economy.
Furthermore, many of these vulnerabilities arise from simpler, more exploitable root causes, such as command injection and improper authentication issues. These are often faster and easier for attackers to exploit compared to more complex vulnerabilities such as memory corruption errors.
For example, vulnerabilities in Barracuda ESG and Fortra GoAnywhere MFT arose from command injection issues. Similarly, improper authentication issues have been central to many attacks on network edge devices.
Why Network Edge Devices Are at High Risk
As the number of CVEs and zero-day exploits increase, cybercriminals are increasingly abusing network devices such as routers, firewalls, VPNs, security gateways, and network appliances.
Edge devices are attractive targets because of their critical role in managing data flows and access. Once compromised, attackers can gain a foothold in the network, potentially allowing them to move laterally and escalate their privileges. But while they have always been a popular target, we are now seeing evidence that edge devices are increasingly being attacked en masse, with exploits affecting hundreds of organizations simultaneously.
Our research has found that mass compromise events resulting from the exploitation of network edge devices have nearly doubled since early 2023, with state-sponsored adversaries and ransomware groups rushing to weaponize both new and known flaws in these technologies. High-profile ransomware groups such as Cl0p, Akira, LockBit, and more have exploited vulnerabilities in network edge devices in recent attacks.
Notably, 36% of the widely exploited vulnerabilities were in network perimeter technologies. Over the past three years, more than 60% of network edge vulnerabilities have also been exploited as zero days, highlighting the value these devices provide to threat groups looking to infiltrate networks to achieve their objectives.
Incidents involving vulnerabilities in network edge technologies, such as Citrix NetScaler ADC/Gateway and Cisco ASA, have had significant impact, resulting in widespread compromises and service disruptions. For example, the zero-day exploitation of Barracuda Networks’s Email Security Gateway (ESG) ultimately prompted the company to recommend that users decommission certain physical devices entirely.
Proactive steps to prepare for the threat
The increasing prevalence of zero-day exploits is a trend that no business can afford to ignore. Fortunately, there are several steps organizations can take to improve their resilience to these threats when they do occur. The proven layered security strategy is key to mitigating risk. However, the increasing prevalence of zero-day attacks means that organizations urgently need to implement all the missing controls.
Regular security assessments are important here, as they allow security teams to build an accurate picture of which systems are most at risk. While it’s not always possible to predict when a new exploit will appear, a solid understanding of the network will allow teams to understand the risks and the best course of action for response.
Additionally, regular patching and robust vulnerability management are essential. Closing new exploit paths as soon as fixes are available reduces the likelihood of a potential attack. Addressing other known vulnerabilities in the system also means fewer options are available to attackers. Patching efforts should also prioritize high-value systems, such as network edge devices and file transfer solutions, which are prime targets for exploitation.
Finally, organizations must also be prepared to act quickly when an attack occurs. Security teams can still be equipped to respond quickly to a new attack, even if the individual exploit is initially unknown. Advanced threat detection tools, along with robust logging and monitoring capabilities, are critical to detecting indicators of compromise and subsequent attacker behavior.
The importance of MFA
Along with other proactive measures, multi-factor authentication (MFA) plays a critical role in securing networks by adding an extra layer of protection beyond passwords. While zero-day attacks will include new exploits, many threat actors still rely on standard methods such as stolen or reused credentials to execute their attacks.
Implementing MFA can contribute to security defenses by reducing the risk of unauthorized access, as attackers need more than just a stolen password to breach systems. For web-facing systems, properly implemented and enforced MFA ensures that even if credentials are compromised, additional authentication steps can prevent immediate access to critical systems.
Not only is it important to implement MFA across the organization, that implementation must also be properly enforced. Unfortunately, 41% of incidents responded to by Rapid7 service teams in 2023 were due to missing or unenforced MFA on internet-facing systems, specifically VPNs and virtual desktop infrastructure. For example, an organization may have MFA in place, but sometimes a large group of employees are conveniently placed in an MFA bypass group. So while on paper the entire company is protected by MFA, in practice the policy is likely ineffective.
Staying resilient in the zero-day peak
Zero-day vulnerabilities are a growing threat and organizations urgently need to implement layered security measures to defend against the attack. There is no time to lose.
While there are several ways to improve resilience against zero days, implementing security changes can often be a painfully slow process, especially when it comes to organization-wide policies like MFA.
Furthermore, trying to do everything at once can often lead to limited impact — if everything is a priority, then nothing is. Safety decision makers need to be sure of their priorities and focus on the issues that will have the greatest impact on resilience.
We have highlighted the best online cybersecurity course for you.
This article was produced as part of TechRadarPro’s Expert Insights channel, where we showcase the best and brightest minds in the technology sector today. The views expressed here are those of the author and do not necessarily represent those of TechRadarPro or Future plc. If you’re interested in contributing, you can read more here:
