“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.
In early April, FireEye Mandiant Threat Intelligence published the results of a four-year study of zero-day exploits which revealed a significant increase in 2019 versus the previous three years. Traditionally, the uncovering and development of exploitation techniques that underpin zero-day vulnerabilities is the domain of the most technically savvy cybercriminal groups. This spike in usage suggests that a wider range of threat actors are simply buying zero-day exploits rather than build them.
In 2017, Rand researchers determined that zero-day exploits have a life expectancy of 6.9 years. This suggests these are used over and over. The Rand study also concluded that for any given stockpile of zero-days, only 5.7% are discovered after a year. This generates a significant return-on-investment with wide applicability.
In January 2019, Lookout researchers discovered that an unidentified nation-state set up an infrastructure to deploy and perform trial-runs for various forms of spyware, including an experiment on a WhatsApp-targeting malware. The researchers were able to piece together a profile of the nation-state’s surveillance program. It turns out, this unidentified nation-state made contact with several surveillance software development companies. The Lookout team detailed a FinFisher offer for a zero-click iOS compromise that allowed device root access, an NSO Group-advertised Android exploit using an Adobe Flash zero-day, and a variety of Arity Business Inc. exploits. These were available at various price-points ($50K-$90K USD).
Besides the sale of zero-days by private companies, Chris Morales, head of security analytics at Vectra, believes the advancement of development tools could also be fueling expanded zero-day use. Fuzzing, is an automated software testing technique used to provide invalid/unexpected or random data as inputs to a program, that is subsequently monitored for vulnerable outcomes. Fuzzing has improved with the incorporation of machine learning. Chris Morales believes that may also be lowering the barriers to zero-day discovery.
In short, we are seeing the expanded use of zero-days, amongst a wider range of threat actors and it is likely to be a continuing trend.