A new report from Mandiant indicates that 70% of 2023’s total of 138 exploited vulnerabilities were zero-days when first used, with the average time-to-exploit (TTE) dropping drastically from 32 days to just five.
The report notes that these numbers should be considered conservative, as first exploitation dates are very often not publicly disclosed or are reported in terms of the month or quarter in which they took place. The 138 examples used for this study are ones for which “reliable observations” are available but are still in some cases estimations.
2023’s exploited vulnerabilities show shift away from n-days
The remaining 30% of the exploited vulnerabilities were n-days, used at some point after a patch had been made available. This represents a proportional shift in recent years, in which zero-days tended to make up only 61% to 62% of these cases.
One trend in n-days that does continue is that exploitation is most likely to occur within a month of a patch being released. Media attention and availability also continue to not be special indicators of a vulnerability being exploited, nor do they guarantee that exploitations will even happen.
Zero-days definitely saw a substantial spike in 2023, but more years of analysis will be needed to determine if it is an emerging trend or if attackers just happened to deploy an unusual amount. One thing that does appear to be trending upward over time is the speed with which n-days are taken advantage of. Last year attackers exploited 12% within the first day of awareness, 29% within one week and 56% within one month. Those numbers overall are up from prior years, in which at least 25% of the exploited vulnerabilities were not seen in the wild until over six months from disclosure. Only two n-days made it past the six-month mark in 2023 before being exploited.
The report also notes that disclosure often does not lead to immediate exploitation, for both zero-days and n-days. Zero-days saw a median time of seven days from public disclosure to exploitation, with n-days a little over double that at 15 days. This is often due to difficulty in pulling off the exploit even if its details are known, and in some cases the value of exploited vulnerabilities are just too low for experienced threat actors to bother moving on quickly.
Smaller companies catching up to big tech as sources of zero-days
For prior years of this research, the biggest names in tech have been at the forefront of exploited vulnerabilities: Apple, Google and Microsoft usually coming in as the top three, often followed closely by Adobe. But they now represent just 40% of the total vulnerabilities for 2023, a drop from being just slightly under half in prior years. The difference is coming from smaller names in the field that are seeing just one exploited vulnerability per year; 31 of the 53 in 2023 fit this description.
Mandiant ultimately finds that the trend of zero-days being the strong majority of successfully exploited vulnerabilities is expected to continue and grow in the coming years. But a factor that should be noted is that companies are improving at both detecting zero-days and responding with patches. Thus what appears to be a spike in 2023 may actually be a more accurate reflection of the reality of previous years, as organizations demonstrate improvements to their visibility in this area. All organizations are benefiting from a general improvement in the detection tools available on the market, and these are likely to get even better as AI develops.
The big number revealed by this report is the slide in TTE over time. Just a few years ago, just before the Covid-19 pandemic, the average TTE was at a little over two months. It is now down to just five days. This is another area in which general improvements in tools and detection may simply be uncovering reality rather than pointing to a particular spike. However, Mandiant notes that it has specific data that indicates attackers are intentionally moving much faster to beat expected patching cycles. Conditions in the patching race are not favoring the good guys, with numerous market studies indicating ongoing shortfalls in IT staffing that are not expected to be resolved in the near term.
While it is hardly a new talking point, what organizations can take from this report is that time-to-patch is only getting shorter overall. This concern comes on top of ongoing phishing issues and the looming threat of quantum computing requiring a changeover to new encryption standards.
Patrick Tiquet, Vice President, Security & Architecture at Keeper Security, notes that shifting too much attention from one area can cause the world’s most sophisticated criminals to specifically target others: “As we develop more complex software at breakneck speed, the number of vulnerabilities continues to rise. Ironically, this trend toward zero-day exploits partly results from advancements in traditional defenses. Organizations have become more effective at blocking phishing and credential theft, prompting cybercriminals to adapt by targeting new weaknesses with surgical precision. Cybercrime is a lucrative business. Today’s threat actors are more well-resourced and well-funded than ever before. Instead of “lone wolves,” cybercriminals are now members of cybercrime cartels which have the time, resources and money to execute these more sophisticated attacks.”
Von Tran, Senior Manager, Security Operations at Bugcrowd, notes that the report’s findings indicate that security departments at potentially impacted organizations need a team that is specifically focused on zero-days: “To better prepare for these nightmare scenarios, it is key for all companies to dedicate a team for zero-day response, signal and collaboration. This can’t just be a one company type of thing but all companies who have their products within many supply chains and within consumer hands need to have this dedicated team and be actively talking to each other. It builds an escalation channel between them and their vendors to assess the zero-day, and quickly bring together stakeholders on their teams to respond and update across their stack. It takes so long to respond usually because there’s so many teams they need to collaborate to fix this across their entire organization and product line which may break a lot of things if they force something. A dedicated team will have escalation hotlines to all the engineering stakeholders to prioritize and push a fix within a 5 day window rather than 30 days.”
“Signal is also key, if something is being exploited en masse, being the first to know means you’re the first to respond. This is why we invest so much in External Attack Surface Management (EASM). We recommend others to have such a solution so they can properly assess their risk to zero days. To clarify, this is easier said than done. Zero days are destructive because the research has already taken months if not years to weaponize, meaning attackers will be months to years ahead of you. Rapid response is everything,” added Tran.