Vulnerability Exploitation on the Rise as Attacker Ditch Phishing

While phishing remains a popular method of gaining initial access to victim environments, researchers at Mandiant note that threat actors are increasingly exploiting vulnerabilities in computer systems to breach organizations. According to Mandiant’s M-Trends 2024 Report, in 2023, actors gained initial access by exploiting vulnerabilities in 38% of intrusions, highlighting a 6% increase from the previous year. Notably, researchers observed 97 unique zero-day vulnerabilities exploited in the wild in 2023, up by 56% compared to 2022. Although financially motivated cybercriminals like FIN11 were observed utilizing zero-days to breach systems and steal financial data, Chinese cyber espionage groups were the most prolific attackers to leverage zero-days in 2023, highlighting the growing threat posed by the People’s Republic of China.

Security Officer Comments:
Threat actors are actively researching and identifying zero vulnerabilities as patches are not readily available at the time of discovery, making it challenging for organizations to defend against. One of the notable examples observed last year was the campaign carried out by Cl0p ransomware, where the actors were able to identify a zero-day vulnerability in the MOVEit file transfer application and steal data from dozens of organizations, ultimately holding the data hostage for ransom payments. While we haven’t seen exploitation campaigns on this scale since then, zero days are more than so before being frequently identified, highlighting the need for organizations to stay vigilant and secure their systems accordingly.

Suggested Corrections:
Zero days can be tough to mitigate depending on what type of device or piece of software is susceptible. The time gap between the production, release, and deployment of a patch and vulnerability disclosure is the most critical aspect of zero vulnerabilities or anyone for that matter. An attacker can leverage a vulnerability from when it's known until systems are patched, which is why vulnerabilities must be responsibly disclosed to vendors. Unfortunately, until development teams release a patch or effective mitigation, there is not much companies can do to prevent attackers from leveraging unpatched systems, especially those exposed to the internet - aside from taking them offline entirely. A disconnect can significantly impact business functions which is why those who fill IT Leadership roles must communicate the possible implications, risks, and overall impact to business leaders so decisions can be made that favor all aspects of the business totality. Applying defense-in-depth strategies and zero-trust can significantly assist in preventing the exploitation of zero-days. Still, it may not contain a full-blown attack depending on the severity and type of exploit possible.