Exploitation of zero-day vulnerabilities puts companies in check

Exploitation of zero-day vulnerabilities has grown in recent years and challenges companies’ cybersecurity strategies

70% of the vulnerabilities exploited in 2023 were zero-day, i.e., not previously known. This data provided by Google gives us a glimpse of how the exploitation of zero-day vulnerabilities has become a highly relevant threat to companies and citizens.

Even more so, if we consider that malicious actors track weaknesses in Software-as-a-Service and IoT devices to carry out supply chain attacks against the companies and users that employ them, it is not only companies that develop software or smart devices exposed to zero-day vulnerability exploitation.

Why is the growing exploitation of zero-day vulnerabilities a major threat to businesses and the public? It is more complex to detect the exploitation of vulnerabilities that are not known about and to prevent cyber-attacks from succeeding. In addition, affected companies must undertake remediation in the shortest possible time to limit the exploitation of zero-day vulnerabilities.

Fortunately, both companies that develop software and acquire it through vendors have proactive cybersecurity services in managing zero-day vulnerabilities.

Below, we address the key aspects of zero-day vulnerability exploitation and how to avoid it.

1. Hostile actors have honed their zero-day vulnerability detection capabilities.

Why is zero-day vulnerability exploitation on the rise? Some of the most resourceful and knowledgeable malicious actors, such as advanced persistent threat (APT) groups and cybercriminals sponsored by states like Russia, China or North Korea, have focused on finding these vulnerabilities.

As we have pointed out on other occasions, in the field of cybersecurity, there is an ongoing competition between hostile actors and the professionals who must protect companies. Thus, when cybersecurity experts put effective mechanisms to deal with malicious tactics and techniques in place, criminals have no choice but to innovate and devise new TTPs.

In this regard, vulnerability management has become a critical issue for companies because it allows them to have an inventory of assets and known vulnerabilities and to prioritize their remediation according to their level of criticality or the likelihood of their being exploited.

To overcome efficient vulnerability management, criminals look for weaknesses and loopholes that have not yet been detected and thus catch their victims by surprise.

In other words, increasing a company’s cybersecurity level makes it much more difficult to attack by exploiting known vulnerabilities in its infrastructure. Therefore, it is necessary to detect new vulnerabilities for which no remediation is available to achieve criminal objectives.

Detecting and exploiting zero-day vulnerabilities is a complex task but requires high expertise and experience.

2. The average exploitation time for zero-day vulnerabilities has been reduced

The report by Google also points out that the average time it takes malicious actors to exploit a newly discovered vulnerability has dropped dramatically in recent years. So much so that in as little as five days, it is possible to have a proof-of-concept to exploit a zero-day or newly disclosed vulnerability successfully.

This short period of time represents a major challenge for software vendors and the whole of the productive fabric. Why?

1. The professionals designing patches to remediate vulnerabilities must work around the clock to prevent successful exploits.
2. Proactive detection of vulnerabilities and security incidents becomes more relevant.
3. Security strategies must consider the rapid exploitation of zero-day vulnerabilities and opt for measures such as segmenting corporate networks and incorporating multi-layered security controls to limit the impact of attacks.
4. It is imperative to update corporate software to implement all security patches continuously.

3. The danger of public proof-of-concepts for exploiting new vulnerabilities

Are only the most experienced and well-resourced cybercriminals able to exploit zero-day vulnerabilities? No. Proofs-of-concept (PoCs) are often made public to provide information about how new vulnerabilities can be exploited for cyberattacks.

For example, a few days ago, the U.S. Cyber Defense Agency (CISA) warned that a vulnerability affecting Microsoft SharePoint, a document-sharing tool used by thousands of companies worldwide, was being actively exploited. The risk of exploitation was high because a proof of concept had been made public.

Moreover, a study published this year claims malicious actors can use proofs-of-concept to exploit vulnerabilities as little as 22 minutes after making them public.

4. Third-party components and libraries are a critical target for bad guys.

When discussing zero-day vulnerability exploitation, as the Google report indicates, it is important to note that a priority target for malicious actors is third-party components and libraries. Why?

Finding an unknown vulnerability in them opens the door to attack all companies that have used external components and libraries to develop their software and hardware, leading to supply chain attacks.

This means that the number of potential victims of zero-day vulnerability exploitation multiplies.

5. Exploitation of zero-day vulnerabilities in enterprise programs

To this trend, we must add, as we pointed out at the beginning, the exploitation of zero-day vulnerabilities in enterprise software.

For example, at the beginning of October, Rackspace, a hosting company, suffered a security incident caused by exploiting a vulnerability in ScienceLogic‘s SL1 software. However, the company claimed that the vulnerability was in a third-party utility built into the SL1 package. This is indicative of the complexity of the software supply chain and the difficulty of effectively monitoring all corporate assets.

Be that as it may, the exploited breach in this software for monitoring an organization’s technology infrastructure and assets allowed malicious actors to access internal Rackspace servers and even private customer data.

This case is not an anomaly. Zero-day vulnerabilities affecting enterprise software are constantly being disclosed. In recent weeks, it was reported that vulnerabilities were being exploited in CSA, Ivanti‘s cloud services system, and a critical vulnerability in FortiManager, a solution that allows companies to manage firewalls or wireless networks centrally.

6. The importance of patches in asset protection

Companies that develop software must be able to detect vulnerabilities affecting their programs or third-party components as soon as possible. Why? In this way, they will be able to seek solutions to remedy them and protect themselves and their customers if they market their solutions.

As we have been pointing out, every minute counts when preventing the exploitation of zero-day vulnerabilities.

Companies need to be able to develop patches and release updates to their software before malicious actors find a way to exploit vulnerabilities or even release proofs-of-concept to launch attacks.

Companies that use third-party software must keep track of all the programs they use and deploy security updates as quickly as possible to avoid being unprotected by vulnerabilities for which remediation already exists.

Therefore, companies must have security update procedures for systems and applications that define time windows and deadlines, according to the asset’s criticality and vulnerability, for installing security patches and restarting servers.

7. From Threat Hunters to the management of emerging vulnerabilities: How to protect against vulnerability exploitation

Given the dangerous scenario we have just outlined… what can companies do to protect themselves against exploiting zero-day vulnerabilities? Be proactive by incorporating advanced cybersecurity services such as Threat Hunting and detecting emerging vulnerabilities.

7.1. Threat Hunting

Proactive Threat Hunting services continuously investigate undetected compromise scenarios, based on the assumption that a cyber-attack could have been carried out without any security event having been generated.

For this purpose, an analysis of the information provided by the EDR/XDR solutions is carried out, and vulnerabilities, attack campaigns and TTPs of the malicious actors are continuously investigated.

In this way, detecting a malicious operation, such as exploiting zero-day vulnerabilities, is possible and responding to it immediately to prevent criminals from achieving their goals.

7.2. Detection of emerging vulnerabilities

The emerging vulnerabilities service enables companies to deal with the discovery of zero-day vulnerabilities present in their perimeter assets with security and peace of mind. Why? Cybersecurity professionals are in charge of:

• Inventory and monitor all assets, including software contracted from vendors or third-party components.
• Early detection of vulnerabilities present in these assets.
• Check whether a newly discovered critical vulnerability is present at the company’s perimeter.
• Notify companies affected by a new vulnerability.
• Implement all necessary measures to mitigate a vulnerability and prevent its exploitation.

In this way, it is possible to take measures from the first minute to:

• Reduce the company’s exposure surface.
• Limit the window of opportunity for malicious actors wishing to exploit emerging vulnerabilities.
• Anticipate tactics and techniques associated with criminal groups that might try to exploit zero-day or recently published vulnerabilities.

In conclusion, the exploitation of zero-day vulnerabilities is on the rise and can cause significant damage to thousands of businesses. Therefore, organizations must improve their ability to detect emerging vulnerabilities affecting their assets and optimize their remediation processes.