Zero-day are exploited on a massive scale in increasingly shorter timeframes

Microsoft warns of an uptick among threat actors increasingly using publicly-disclosed zero-day exploits in their attacks.

According to the Digital Defense Report published by Microsoft, threat actors are increasingly leveraging publicly-disclosed zero-day vulnerabilities to target organizations worldwide.

The researchers noticed a reduction in the time between the announcement of a vulnerability and the commoditization of that vulnerability and remarked on the importance of the patch management process.

“As cyber threat actors—both nation state and criminal—become more adept at leveraging these vulnerabilities, we have observed a reduction in the time between the announcement of a vulnerability and the commoditization of that vulnerability. This makes it essential that organizations patch exploits immediately.” reads the report.

Microsoft noted that it only takes 14 days on average for the exploitation of the flaw in the wild after its public disclosure, and it takes 60 days for the release of the exploit code on GitHub.

The experts observed that the zero-day vulnerabilities are initially exploited in highly targeted attacks, then they are quickly adopted in attacks in the wild.

Many nation-state actors have developed capabilities to create exploits from unknown vulnerabilities,
China-linked APT groups are particularly proficient in this activity.

“China’s vulnerability reporting regulation went into effect September 2021, marking a first in the world for a government to require the reporting of vulnerabilities into a government authority for review prior to the vulnerability being shared with the product or service owner.” continues the report. “This new regulation might enable elements in the Chinese government to stockpile reported vulnerabilities toward weaponizing them.”

Below is a list of vulnerabilities first developed and deployed by China-linked threat actors in attacks, before being publicly disclosed and spread among other actors in attacks in the wild:

• CVE-2021-35211 SolarWinds Serv-U;
• CVE-2021-40539 Zoho ManageEngine ADSelfService Plus;
• CVE-2021-44077 Zoho ManageEngine ServiceDesk Plus;
• CVE-2021-42321 Microsoft Exchange;
• CVE-2022-26134 Confluence;

Microsoft urges organizations to prioritize patching of zero-day vulnerabilities as soon as they are released, it also recommends to document and inventory all enterprise hardware and software
assets to determine their exposure to attacks.

“Vulnerabilities are being picked up and exploited on a massive scale, and in increasingly shorter timeframes.” the company concludes.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)

[adrotate banner=”5″]

[adrotate banner=”13″]