Threat actors are exploiting vulnerabilities faster than ever

On By Yukito

New research from cybersecurity firm Mandiant provides surprising statistics on attacker exploitation of vulnerabilities, based on an analysis of 138 different exploited vulnerabilities that were disclosed in 2023.

The results, published on the Google Cloud blog, show that vendors are increasingly being targeted by attackers who are continually reducing the average time to exploit both zero-day and N-day vulnerabilities. However, not all vulnerabilities are of equal value to an attacker, as their importance depends on the attacker’s specific goals.

The time required for use is significantly reduced

Time to Exploit is an indicator of the average time it takes for a vulnerability to be exploited before or after a patch is released. Mandiant’s research shows:

  • In 2018–2019, the TTE was 63 days.
  • From 2020 to 2021, it was reduced to 44 days.
  • In 2021–2022, TTE dropped further to 32 days.
  • In 2023, TTE lasted only 5 days.

SEE: How to create an effective cybersecurity awareness program (TechRepublic Premium)

Zero day vs. N day

As TTE continues to shrink, attackers are increasingly exploiting both zero-day and N-day vulnerabilities.

A zero-day vulnerability is an unpatched exploit, often unknown to the vendor or the public. The N-day vulnerability is a known vulnerability that is exploited for the first time after patches are released. An attacker can therefore exploit the N-day vulnerability as long as it has not been patched on the target system.

Mandiant says that in 2023, the ratio of N-days to zero-days will be 30:70, while in 2021-2022 the ratio was 38:62. Mandiant researchers Casey Charrier and Robert Weiner report that this change is likely due to the increased use and detection of zero-day exploits, rather than a decline in the use of N-day exploits. It is also possible that in 2023, threat actors have had more effective attempts to exploit the zero day.

“While we have previously seen and continue to expect the use of zero days to increase over time, in 2023 we will see an even greater increase in the divergence between zero-day and n-day exploitation as zero-day exploitation has overtaken zero-day exploitation to a greater extent than we have previously observed earlier,” the researchers wrote.

Graph showing zero-day and N-day exploitation.
Zero-day operation and N-day operation. Photo: Mandant

N-day vulnerabilities are most often exploited in the first month after the patch is installed

Mandiant reports that it observed 23 N-day vulnerabilities being exploited in the first month after the patches were released, with 5% of them being exploited within a day, 29% within a week, and more than half (56%) being exploited within a month. A total of 39 N-day vulnerabilities were exploited in the first six months after the release of the patches.

Infographic showing the N-day operation schedule.
N-day operation. Photo: Mandant

The goal is to have more suppliers

Attackers appear to be adding more vendors to their target list, which has grown from 25 vendors in 2018 to 56 in 2023. This makes it more of a challenge for defenders who try to protect more surface area every year attack.

Graph showing CVE-2023-28121 exploitation timeline.
CVE-2023-28121 Exploit Schedule. Photo: Mandant

Case studies demonstrate the seriousness of the abuse

Mandiant discloses a case of CVE-2023-28121 in the WooCommerce Payments plugin for WordPress.

Revealed on March 23, 2023, it didn’t receive any proof of concept or technical details until over three months later, when the publication showed how to use it to create an admin user without prior authentication. A day later, the Metasploit module was released.

A few days later, another weaponized exploit was released. The first exploitation began the day after the patched weaponized exploit was published, and usage peaked two days later, reaching 1.3 million attacks in one day. This case highlights the threat actor’s “increased incentive to exploit this vulnerability due to the public release of a functional, large-scale, and reliable exploit,” Charrier and Weiner said.

Infographic showing CVE-2023-28121 exploitation timeline.
CVE-2023-28121 Exploit Schedule. Photo: Mandant

The case of CVE-2023-27997 is different. The vulnerability known as XORtigate affects the Secure Sockets Layer (SSL) / Virtual Private Network (VPN) component of Fortinet FortiOS. The vulnerability was disclosed on June 11, 2023 and immediately gained media coverage, even before Fortinet issued an official security advisory a day later.

On the second day after the disclosure, two blog posts containing the PoC were published, and one non-weapon exploit was published on GitHub before it was taken down. Although the interest seemed obvious, the first use occurred only four months after disclosure.

Infographic showing CVE-2023-27997 exploitation timeline.
CVE-2023-27997 Exploit Timeline. Image: Mandant

One of the most likely explanations for the differences in the observed schedules is the difference in the reliability and ease of exploitation of the two vulnerabilities. The one that affects the WooCommerce Payments plugin for WordPress is easy to exploit because it only requires a specific HTTP header. The second is a heap-based buffer overflow vulnerability, which is much more difficult to exploit. This is especially true for systems that have several standard and non-standard security features that make it difficult to boot reliably.

As revealed by Mandiant, the intended use of the exploit is also a factor.

“Redirecting more energy into developing more difficult but ‘more valuable’ vulnerabilities would be logical if it better suited their goals, while an easier to exploit and ‘less valuable’ vulnerability might be of greater value to more opportunistic adversaries,” the researchers wrote.

Implementing patches is not a simple task

More than ever, it is mandatory to deploy patches to address security vulnerabilities as quickly as possible, depending on the risk associated with the vulnerability.

Fred Raynal, CEO of Quarkslab, a French offensive and defensive security company, told TechRepublic that “Patching 2-3 systems is one thing. Patching 10,000 systems is not the same. It requires organization, people and time management. So even if a patch is available, it usually takes a few days for it to go live.”

Raynal added that some systems take longer to patch. He gave the example of patching vulnerabilities in mobile phones: “If a patch appears in the Android source code, Google must apply it. Then SoC makers (Qualcomm, Mediatek, etc.) have to try it out and implement it in their own version. Then phone manufacturers (e.g. Samsung, Xiaomi) must migrate it to their own version. Then, carriers sometimes tweak the software before building it, which doesn’t always allow the latest versions of the source to be used. So here the patch propagation is… long. It’s not uncommon for today’s phones to have security vulnerabilities from 6 months ago.

Raynal also emphasizes that availability is a key factor in patching: “Some systems can afford to fail! Consider an oil rig or any energy producer: patching is fine, but what happens if the patch causes a failure. There is no energy left. So what’s the worst? An unpatched critical system or a city without energy? A patch is a critical system, it concerns a potential threat. A city without energy, this is about real problems.”

Finally, according to Raynal, some systems are not patched at all: “Patching is prohibited in some areas. For example, many companies that build healthcare devices prevent their users from patching. If this happens, it will void your warranty.”