Man
Professional
- Messages
- 3,077
- Reaction score
- 614
- Points
- 113
The statistics of 0Day attacks hide a real digital pandemic.
Google Mandiant analysts warn of a new trend: hackers are increasingly discovering and exploiting zero-day vulnerabilities in software. Experts studied 138 vulnerabilities identified in 2023, which were actively used in real attacks. Most of them (97) were operated as zero-day, that is, before the release of fixes. The remaining 41 bugs were used after the release of the fixes and are classified as n-day. Experts noted that in 2023, the gap between the use of zero-day and n-day has increased markedly, highlighting the growing popularity of 0Day attacks.
The average time-to-exploit (TTE) in 2023 decreased to five days. This is a record figure for the entire period of observations. For comparison, in 2018, the first attack took an average of 63 days, and in 2021-2022, the figure decreased to 32 days. The rapid reduction of TTE indicates that attackers have time to exploit vulnerabilities before companies apply the appropriate updates.
Analysts also pointed to the difficulties in collecting data. The dates of the first attacks are not always disclosed or reported inaccurately — for example, indicating only an approximate period like "second quarter of 2023." This makes it difficult to assess the real timing. Mandiant emphasizes that the real time to operation may be shorter than the data presented.
If in 2021-2022 the ratio of zero-day to n-day remained stable at 62% to 38%, then in 2023 zero-day attacks were already 70%. This shift is not only due to an increase in the number of zero-days, but also to better means of detecting such vulnerabilities. These changes are expected to be consolidated in the future, although the forecasts remain cautious for now.
In 2023, more than half of the n-day vulnerabilities were attacked within the first month after the patch was released. 15% of errors were exploited already on the first day, and 56% within a month. It is noteworthy that almost all n-day vulnerabilities (95%) were exploited for up to 6 months from the date of patching, which indicates an acceleration of the attack on vulnerable systems.
Examples of successful attacks
The CVE-2023-28121 vulnerability (CVSS score: 9.8) in the WooCommerce Payments WordPress plugin was an example of how mass exploitation began months after the bug was disclosed. The first exploitation of the vulnerability was recorded only after the release of a convenient tool for attacks, which allowed attackers to carry out millions of attacks per day.
In contrast, the CVE-2023-27997 vulnerability (CVSS score: 9.8) in FortiOS aroused widespread interest immediately after its discovery, but its exploitation began only a few months later. The complexity of the attacks and the additional security measures of the system made the exploitation of the flaw less operational and more limited in scope.
Mandiant notes an increase in the number of companies that have been attacked. In 2023, the list of vulnerable suppliers increased by 17% compared to 2021. Traditionally, the leading Microsoft, Apple, and Google are still among the most frequently attacked companies, but their share has dropped to less than 40%. Lesser-known vendors are increasingly being attacked, increasing the variety of targets and making it more difficult to protect against threats.
Mandiant emphasizes that despite the increase in the number of zero-day attacks, n-day vulnerabilities remain relevant. In the future, time to operation is expected to further decrease, forcing companies to improve detection systems and quickly implement corrections. The increasing complexity of infrastructures also requires increased access control and segmentation measures to minimize the damage from successful attacks.
Source
Google Mandiant analysts warn of a new trend: hackers are increasingly discovering and exploiting zero-day vulnerabilities in software. Experts studied 138 vulnerabilities identified in 2023, which were actively used in real attacks. Most of them (97) were operated as zero-day, that is, before the release of fixes. The remaining 41 bugs were used after the release of the fixes and are classified as n-day. Experts noted that in 2023, the gap between the use of zero-day and n-day has increased markedly, highlighting the growing popularity of 0Day attacks.
The average time-to-exploit (TTE) in 2023 decreased to five days. This is a record figure for the entire period of observations. For comparison, in 2018, the first attack took an average of 63 days, and in 2021-2022, the figure decreased to 32 days. The rapid reduction of TTE indicates that attackers have time to exploit vulnerabilities before companies apply the appropriate updates.
Analysts also pointed to the difficulties in collecting data. The dates of the first attacks are not always disclosed or reported inaccurately — for example, indicating only an approximate period like "second quarter of 2023." This makes it difficult to assess the real timing. Mandiant emphasizes that the real time to operation may be shorter than the data presented.
If in 2021-2022 the ratio of zero-day to n-day remained stable at 62% to 38%, then in 2023 zero-day attacks were already 70%. This shift is not only due to an increase in the number of zero-days, but also to better means of detecting such vulnerabilities. These changes are expected to be consolidated in the future, although the forecasts remain cautious for now.
In 2023, more than half of the n-day vulnerabilities were attacked within the first month after the patch was released. 15% of errors were exploited already on the first day, and 56% within a month. It is noteworthy that almost all n-day vulnerabilities (95%) were exploited for up to 6 months from the date of patching, which indicates an acceleration of the attack on vulnerable systems.
Examples of successful attacks
The CVE-2023-28121 vulnerability (CVSS score: 9.8) in the WooCommerce Payments WordPress plugin was an example of how mass exploitation began months after the bug was disclosed. The first exploitation of the vulnerability was recorded only after the release of a convenient tool for attacks, which allowed attackers to carry out millions of attacks per day.
In contrast, the CVE-2023-27997 vulnerability (CVSS score: 9.8) in FortiOS aroused widespread interest immediately after its discovery, but its exploitation began only a few months later. The complexity of the attacks and the additional security measures of the system made the exploitation of the flaw less operational and more limited in scope.
Mandiant notes an increase in the number of companies that have been attacked. In 2023, the list of vulnerable suppliers increased by 17% compared to 2021. Traditionally, the leading Microsoft, Apple, and Google are still among the most frequently attacked companies, but their share has dropped to less than 40%. Lesser-known vendors are increasingly being attacked, increasing the variety of targets and making it more difficult to protect against threats.
Mandiant emphasizes that despite the increase in the number of zero-day attacks, n-day vulnerabilities remain relevant. In the future, time to operation is expected to further decrease, forcing companies to improve detection systems and quickly implement corrections. The increasing complexity of infrastructures also requires increased access control and segmentation measures to minimize the damage from successful attacks.
Source
