#mWISE: Why Zero Day is set for the highest year on record


Will the “zero-day hot summer” we experienced in 2023 become the new normal?

With 62 zero day vulnerabilities exploited since January, 2023 is on track to reach or exceed a pandemic record of 88 zero day vulnerabilities exploited in 2021.

According to Sandra Joyce, head of global intelligence at Mandiant, the adversaries responsible for the highest number of zero-day exploits this year are Chinese advanced persistent threat (APT) groups.

“Some of them have reached a level of sophistication that allows them to exploit a zero-day vulnerability in a matter of hours without being detected – and sometimes it takes us, the defenders, a long time to figure out how they did it ” she said. at Google Cloud’s Mandiant mWISE conference, held in Washington, DC September 18-20, 2023.

Zero-Days helps Chinese APTs reach a wider range of victims

His colleague Ben Reed, head of cyberespionage analysis at Mandiant, added that Chinese state-sponsored threat actors have dominated the zero-day scene since at least the COVID period.

“Chinese hackers have been the primary state-sponsored threat actors in terms of their use of zero days over the past three years,” he said.

According to Joyce, this is the result of a recent reorganization of the People’s Liberation Army (PLA) and China’s Ministry of State Security (MSS), meaning that “China has placed greater emphasis on the use of cyber as an asymmetric capability”.

In practice, Joyce explained that this new focus means that Chinese APTs now primarily focus on multi-pronged malicious campaigns, each targeting a wide range of victims, sometimes with different objectives. Detecting zero-day vulnerabilities and quickly exploiting them before patches are released and deployed allows them to reach more victims than a simple malware infection.

“Zero days cost a lot of money, but the payoff is so big that it’s worth it for ransomware groups.”John Hultquist, chief analyst, Mandiant Intelligence

“Take UNC4841, a Chinese threat group responsible for targeting Barracuda email security gateway (ESG) appliances, which compromised hundreds of organizations around the world,” Joyce said during his mWISE keynote speech.

“During this eight-month campaign, UNC4841 examined 26 sector activity groups. A third of the targeted victims were traditional cyberespionage targets (in government, aerospace, defense, etc.) and a fifth were selected to propagate the compromise themselves, such as IT and technology companies. Finally, some victims also came from discrete and strategic areas of interest such as chipmaking, manufacturing, and finance.

Additionally, Chinese APT groups are no longer the only state-sponsored threat actors taking advantage of zero-day.

Russian APTs frequently used zero-day exploits in 2022 to deploy wiper attacks and, more recently, at least one North Korean threat group has also actively exploited a zero-day vulnerability in a campaign targeting security researchers, according to a September 2023 Google Threat Analysis Group (TAG) report.

Zero-Day Exploits Responsible for Rise in Ransomware

However, the second group that will most actively exploit zero-day in 2023 is not Russian or North Korean APTs, but cybercriminals.

Moderating an mWISE panel on zero days, CNN cybersecurity reporter Sean Lyngaas commented: “The days when only people working in intelligence or espionage had to worry about zero days are gone. »

Jacqueline Burns Koven, head of cyber threat intelligence at Chainalysis, agrees, saying ransomware groups have also recently joined the zero-day gold rush.

“We are certainly seeing an increase in the use of zero-days by ransomware actors. This year, ransomware payments reached nearly $500 million, a 50% year-over-year increase, largely due to the deployment of zero-day ransomware attacks,” he said. she declared.

"Adversaries try to take advantage as quickly as possible when they have access to a zero-day exploit - this is why it is very important to update patches quickly." said Sandra Joyce, head of global intelligence at Mandiant, during mWISE.
“Adversaries try to take advantage as quickly as possible when they have access to a zero-day exploit – which is why it is very important to apply patches quickly,” said Sandra Joyce, head of global intelligence at Mandiant, during mWISE.

The reasons can be varied: from ransomware groups trying to find other ways to compromise their victims, whose willingness to pay the ransom decreases, to obtaining additional funds allowing them to purchase zero days.

According to John Hultquist, chief analyst at Mandiant Intelligence, the main reason is simpler than that: “Many ransomware groups have realized that the best way to scale their operations is to exploit a zero-day vulnerability in a product.” which is located on the periphery of the market. network and that many different organizations use – just like what FIN11 did with the MOVEit Supply Chain Attack (While other security vendors attribute MOVEit to Clop, Mandiant claimed it was FIN11, which they follow as a Clop affiliate).

Listen: Inside the MOVEit Attack: Decrypting Clop’s TTPs and Holding Cybersecurity Practitioners Accountable

“Yes, Zero Days cost a lot of money, but the payoff is so big – tens of millions of dollars – that it’s worth it for them,” he said. Information security.

With almost all threat actors now increasingly exploiting Zero Day, it is very likely that the “hot summer of Zero Day” will continue into the fall and winter.

However, it’s not all doom and gloom for the cybersecurity community, Maddie Stone, security researcher at Google TAG, said at mWISE.

“Adversaries need to exploit zero-day vulnerabilities because we have improved our cybersecurity measures, which means other intrusion techniques are no longer as effective as they used to be,” she said.

“Now is the time to improve those easy-to-find measures that have been neglected for too long: security patches. »

Learn more about mWISE: China’s cyber power is bigger than the rest of the world combined

Leave a comment