Zero-day vulnerabilities in real attacks
Last week, Google's Mandiant division released
which attempts to analyze the actual exploitation of vulnerabilities in attacks. This is a fairly important metric: not all vulnerabilities, information about which one way or another becomes available, can be exploited to cause real damage. Google researchers limited the analysis to vulnerabilities made public in 2023. From these, a set of 138 bugs was identified that were used in real attacks.
The main conclusion of the study is the following: attack organizers have become much more active in exploiting recently discovered vulnerabilities. The average time between the appearance of information about a vulnerability and the start of its exploitation for this set of bugs was only 5 days. In the previous report for 2021 and 2022, this figure was 32 days, and at the beginning of 2021 it was 44 days. Moreover, of the 138 actually exploited software issues, 70% were exploited for the first time before patches were released (in 2021–2022, this figure was 62%).
It is worth noting that these “five days” were obtained by Google/Mandiant as a result of some correction of the data set. 15 vulnerabilities with abnormally long “waiting time” from detection to exploitation were excluded from it. In two cases it exceeded six months. Taking into account these “particularly late” attacks, the average time for bugs to begin exploitation was 47 days. However, other figures in the report also indicate that attackers are more likely to take advantage of more recent vulnerabilities.
Among N-Day vulnerabilities (for which a patch is still released before exploitation in attacks, and not after), 5% began to be used in attacks within one day after the vulnerability was made public, 29% were taken into service within a week. Separately, the report's authors examined how exploitation is affected by the publication of a public exploit. To do this, we analyzed a set of 41 vulnerabilities for which the exploit was actually made publicly available. In 75% of cases, attacks using these vulnerabilities began after the exploit was published. But in 25% of cases, the attacks were recorded before the exploit was released publicly, that is, the organizers “handled it on their own.”
The report says a lot about the fact that attackers may have their own priorities when choosing vulnerabilities, and the theoretical danger from any problem does not always mean its immediate implementation. The report provides two examples. Vulnerability CVE-2023-28121 in the WooPayments plugin for WordPress began to be exploited literally the next day after the exploit was published. At the same time vulnerability CVE-2023-27997 it began to be exploited in Fortinet network devices almost three months after the exploit became publicly available.
Both vulnerabilities have a rating close to the maximum: 9.8 points on the CVSS scale, and look (in theory) as attractive as possible for attackers: one allows you to attack online stores and steal customer data, the second can serve as a reliable entry point into corporate infrastructure. But in practice, according to Google experts, the vulnerability in Fortinet was quite difficult to exploit for profit. More precisely, it took much more time to develop a practical attack.
The report makes another attempt to measure the corporate cyberattack space by measuring the number of vendors attacked. This figure is also growing quite confidently: the list of actually exploited vulnerabilities in 2023 included problems in software from 56 different manufacturers. In 2022 there were 44 vendors, in 2021 – 48. The share of the “top three” – the most frequently attacked software and service providers (Microsoft, Google and Apple) – is decreasing. In 2021-2022 they accounted for half of the vulnerabilities, in 2023 – only 40%. All these indirect indicators indicate that the organizers of corporate attacks are becoming more inventive, trying to increase the effectiveness of their tools: they are using zero-day vulnerabilities more often, expanding the range of attacked software and services, and accelerating the introduction of new exploits.
What else happened
Latest report from Kaspersky Lab experts analyzes Recently appeared information stealers are malicious programs aimed at stealing user data. Among them is macOS malware masquerading as the Homebrew toolkit.
Researchers from ETH Zurich found new hardware vulnerability in Intel (12-14 generation) and AMD (Zen 1, 1+, 2) processors. The new work develops the ideas of the Specter attack, and in this case, problems were found in the Indirect Branch Predictior Barrier tool, which in theory should combat attacks of this type. Unfortunately, this protection system was not implemented optimally, which again allowed researchers to leak data by manipulating the branch prediction mechanism.
Another study from the same ETH Zurich describes a number of errors in the implementation of end-to-end encryption in popular cloud services such as Sync, pCloud and Seafile. In all cases, a fairly complex attack becomes possible, providing that its organizers gain control of the server infrastructure. In the worst case, reading and arbitrary writing of files is possible, to which the service provider should not have access.
Media report about an annoying mistake by Microsoft: a number of the company’s corporate clients recently received a notification that about one month’s worth of logs had been lost for some cloud services.
BleepingComputer Edition reports about cyber attacks that use fake web pages that imitate the Google Meet service. A user who arrives at such a page from a familiar “meeting invitation” is told that there is supposedly a problem with the microphone or camera (which also happens quite often) and is offered to solve it by installing malware. An interesting method of bypassing security measures is used here: the potential victim is asked to copy the script and run it in PowerShell.
By the way, a similar method is now used in attacks on macOS. Edition 9to5mac reports about attempts by attackers to force the victim to copy and execute malicious code in the terminal. The malware, as shown in the screenshot above, imitates a traditional software installer for this OS. This method also allows you to bypass the security measures built into the system.
Serious vulnerability (default login-password pair) discovered in the enterprise solution Web Help Desk from SolarWinds.
