Zero-Day Attacks On The Rise as Hackers Get More Sophisticated

In 2021, there was a surge in widespread zero-day attacks, with hackers moving much faster to exploit vulnerabilities. The average time to exploitation was down from 42 days in 2020 to just 12 days last year.

The Time to Known Exploitation (TTKE) represented a 71 per cent decrease from the previous year according to Rapid7's 2021 Vulnerability Intelligence Report. The main reason for the reduction in TTKE was the heightened volume of zero-day attacks, many of which were eventually used by ransomware gangs.

The report comes at a time when Australian organisations are being urged to strengthen their cyber defences to counter the increased potential threat of state-sponsored cyber attacks. That’s why it is important that security and risk teams have a clear view of the broad range of critical vulnerabilities and threats they face, with particular emphasis on technologies they know are central to their business operations.

The Rapid7 2021 Vulnerability Intelligence Report presented a thorough assessment of last year’s attack landscape, with expert analysis of attack vectors and exploitation trends from what was a truly harrowing year for risk management teams around the world.

Not only were governments and organisations grappling with the COVID-19 pandemic, which continued to put pressure on staffing and budgets, but security teams faced a rapid rise in attack complexity and scale.

Widespread attacks leveraging vulnerabilities in commonly deployed software were endemic, ransomware prevalence increased sharply, and zero-day exploitation reached what is generally considered to be an all-time high. The report detailed 50 notable vulnerabilities, of which 43 were exploited in the wild, and highlighted several non-CVE-based attacks, including significant supply chain security incidents.

Many of 2021’s critical vulnerabilities were exploited quickly and at scale, dwarfing attacks from previous years and giving businesses little time to shore up defences in the face of rapidly rising risk.

On any given day, security professionals found themselves having to prioritise and address viable threats from an overwhelming number of reported vulnerabilities.

With the first quarter of 2022 behind us, we are seeing a continuation of widespread attacks. But this is not a surprise. The pronounced increase in widely exploited security flaws has been on the rise now for several years and increased by a whopping 136 per cent in 2021. With attacker economies of scale like ransomware and coin mining operations continuing to mature, it’s likely that widespread attacks will remain the norm.

We also saw a significant rise in zero-day attacks in 2021 and so far in 2022 that continues to be a trend, putting further pressure on organisations’ security teams.

In one of the year’s more jarring trends, 52 per cent of 2021’s widespread threats began with a zero-day exploit. These vulnerabilities were discovered and weaponised by adversaries before vendors were able to patch them. A much higher proportion of zero-day attacks are now threatening many organisations from the outset, instead of being used in more targeted operations. In 2021, more than half (56 per cent) of the known exploited vulnerabilities came under attack within one week of public disclosure. And this year, despite having a bit of a break in February, we are continuing to witness several high-profile zero-day attacks as the first half progresses.

Attacks like Solarwinds and Log4shell highlighted our reliance on open-source libraries and shared components, which can be tough to detect and deeply embedded in technology stacks. Naturally, security teams are paying more attention to these threats. However, we do urge organisations to not lose sight of vulnerabilities that arise in exposed and critical technologies, particularly those that sit at the edge of networks or govern internal network infrastructure. Flaws in firewalls, VPNs, internet-facing portals, and devops systems continue to be targets for both advanced and low-skilled adversaries, regardless of any geo-political risks.

These known vulnerabilities can be unwittingly exposed and continue to be ‘an easy way in’ for bad actors. Rapid7 vulnerability intelligence indicates these types of vulnerabilities are getting attacked regularly and organisations need to ensure they continue to pay attention to them.

No Surprises

The first quarter of 2022 has not brought about any new surprises.

But for any team tasked with risk management, no matter whether it is vulnerability risk management or something else, we are seeing the layering of these different challenges put pressure on both resources and time.

And whilst the current environment may seem foreboding, there is positive news too. For one thing, the security industry is better able to detect and analyse zero-day attacks. This, in turn, has helped improve commercial security solutions and open-source rule sets. And while we would never call the rise of ransomware a positive thing, the universality of the threat has spurred more public-private cooperation and driven new recommendations for preventing and recovering from ransomware attacks.

We also believe research-driven context on vulnerabilities and emergent threats is critical to building forward-looking security programs. In line with that, organisations of all sizes can implement battle-tested tactics to minimise easy opportunities for attackers and shore up defences.

As we look ahead, we anticipate the trends highlighted in our 2021 report will continue, which means security teams should expect further zero-day attacks and further widespread exploitation. Whilst many organisations are a lot better at detecting these attacks, it is important to avoid complacency.

Attackers will continue to look for opportunities to profit or gain key access to corporate networks as long as there is attack surface area available to them. The probability of an attack for an average business has increased, so organisations as a whole — not just information security teams, but executive and board-level stakeholders, too — must work together to evolve their approaches to risk management.

To access the complete Rapid7 2021 Vulnerability Intelligence Report and related resources click here.