Why a rise in zero-day attacks is becoming a matter of concern

As more and more businesses adopt digital practices, prominent attack groups are investing in discovering previously unknown vulnerabilities in software used in their target organizations, which of course is fetching them a higher ROI -

The year 2021 has been a year of Zero-day attacks. A zero-day attack refers to a situation when a previously unknown bug or vulnerability in a software gets exploited as part of the cyber-attack and no patch is available yet from the vendor to address it.

According to a new report published by Mandiant, 80 zero-days have been exploited in the wild in 2021, which is two times more than the previous record volume in 2019. According to another survey done by MIT Technology Review, 2021 has broken the record for zero-day hacking attacks.

“Zero-day attacks have become a severe concern not only for the software vendors and developers but also users and even an entire country. Organisations are getting breached more than ever through their web and API applications,” states Mark Lukie, Systems Engineering Director - Barracuda APAC.

“Zero-day vulnerabilities have now become an easy entry point for threat actors,” says Sandeep Peshkar, Senior Vice President Forensics – Arete. “In the last three months, we had 22 bugs, out of which three bugs were used in major attacks, revealed in multiple software, including Google Chrome, Microsoft Windows, and Apple MAC OS.”

According to Himanshu Dubey, Senior Director – Engineering Security Labs, Quick Heal Technologies, Cyber Attack is fast becoming a Service model. “Finding new exploitable vulnerabilities in a software is an expensive activity. And hence it is typically limited to well-funded attack groups. In fact on the Darknet, there are groups which focus only on developing exploits for newly discovered vulnerabilities. These exploits are purchased by attack groups, who then use them to attack target organizations or individuals.”

There are also state-sponsored espionage groups, as pointed out by Mandiant, that continue to be the primary actors exploiting zero-day vulnerabilities. But it is usually the financially motivated actors that dominate this space.

More Software leads to More Software flaws

These zero-day exploitation happening can be for multiple reasons, including security misconfiguration, programming errors, insufficient logging and monitoring, or simply human error.

Daniel dos Santos, Head of Research, Forescout Vedere Labs feels that there are two interconnected trends - growth in the total number of vulnerabilities and growth in the number of zero days (found exploited in the wild and not patched by the vendors).

“The increasing number of vulnerabilities occur due to the growing size and complexity of the software being used in various connected devices. They occur naturally when developers create software, either because of a lack of knowledge or attention. The more software produced, the higher the chances of increasing vulnerabilities, which is the scenario at present because of many new devices being produced and connected to enterprise networks,” he explains.

He also believes that zero-days are increasing as more people are identifying the vulnerabilities. They are either using them directly in launching attacks or (more commonly) selling them to other parties instead of reporting to vendors for a big buck. “There are many active exploit markets where attackers trade new vulnerabilities and exploits used in attacks,” Daniel says.

How to prevent a Zero-day attack

Zero-day exploits are not always detected at the point of infection, thus posing a severe cybersecurity hazard. It therefore becomes essential to identify and fix these anomalies whenever detected.

The most traditional way of protecting against such vulnerabilities is patching. But that works only after zero-days have been disclosed, and after the patches are released by the vendor. Having an effective cybersecurity strategy in place that relies on limiting the impact of vulnerability exploitation, whether it is a known vulnerability or a zero-day, can be a viable solution. This includes approaches such as segmenting the network to prevent attackers' lateral movement; implementing zero-trust network access.

Yet, a more effective cyber risk protection strategy can be, as pointed out by Mark, to incorporate adequate cyber security awareness training. Since in most attacks employee behaviour is what gets exploited first, educating them about the perils of cyber threats can be a good starting point.

Sandeep however suggests that organizations can consider the below key factors to control the impact of a zero-day -

Latest bug reports from the community like OSINT and exploitDB to understand the possible risks.

Evaluate the patch in a test environment before implementing it in the production environment.

Always patch the latest vulnerabilities and keep an alert monitor on the tool if a patch is unavailable from the developer for the latest zero-day.

Ensure your operating system is up-to-date and patched regularly, and Harden the network controls.