The Analyst Prompt Issue #18 briefly explores the hype around zero-day vulnerabilities and the benefit of focusing on tactics and techniques featured in common threats and attack patterns rather than highlighting cutting-edge cyberattacks to improve metrics and cyber defense. As an example of the value of strong fundamentals, we look at the initial reports about the Uber breach versus an analysis of current trends in zero-day use in cyberattacks.
Key Infrastructure and Critical Vulnerabilities: Zero-Day Software Vulnerabilities Remain High Profile, but are Not a Factor in the Majority of Successful Cyberattacks
Zero-day exploits have come under increased scrutiny after malware vendors including FinFisher, the NSO Group, Hacking Team, and others demonstrated a growing market for custom, paid-for exploits. Our increasingly connected world ensures constantly growing impacts from zero days. At the end of August, VX Underground reported a new iOS remote code execution vulnerability included in an exploit package listed for sale for 8 million dollars by a new Israeli company named Intellexa (1). Governments, cybercriminals - especially ransomware syndicates - and a growing population of actors consisting of private organizations and grey-hat hackers participate in markets for zero-day exploits (2, 3, 4).
Low-Touch (Including Zero-Click) Exploits for Popular Software Command the Highest Prices
Current trends indicate a possible shift in demand towards Android exploits although Apple still commands more lucrative pricing for new exploits. New VPN vulnerabilities remain highly popular and ransomware syndicates represent some of the most frequent buyers. The market for highly sophisticated exploits is likely to remain geographically localized and relatively constrained to distinct global regions. One theory is that demand is driven by exclusive connections with localized government buyers who stockpile zero days for use against their own regional targets. In this theory, the secrecy and hoarding mentality have the effect of reducing wider spread of the exploit (5). There is no consensus on which government is the biggest buyer of zero-days; the US government is very likely the largest acquirer of zero-day vulnerabilities, according to one source (6,7), but another report finds China is the largest user of zero-days (8). Despite the high profile of zero-day vulnerabilities, they remain sequestered and reserved only for a very small number of cyberattacks.
Threat Actor Update: Publicly Available Evidence Supporting Uber Cyberattack Attribution to Lapsus$ is Lacking
Uber announced it suffered a security breach in mid-September. On its website, Uber attributed the attack to the cybercriminal group Lapsus$. (9) Attribution in a cyberattack can be challenging. Sufficient detail for firm cyberattack attribution is often lacking. It is too early in the Uber investigation for analysts outside Uber to be able to do an adequate and substantial detailed analysis of TTPs (Tactics, Techniques, and Procedures). Lapsus$ is an amorphous cybercriminal group very likely consisting of members that drop in and out frequently, which makes reliable attribution to the “group” challenging. The group has not demonstrated consistent TTPs in prior known cyberattacks that would help independent analysts easily attribute the Uber attack to Lapsus$.
The Latest Cyberattack Against Uber Showcases a Lower Level of Access Expected Within the Context of Most Modern Cyberattacks
If exposure of account credentials, which is common, led to such a high-profile and successful attack, then weakness in MFA (multifactor authentication) implementation may implicate wider security issues at Uber and other companies that apply high-trust oriented security protocols, such as MFA. A hardware key providing MFA codes could have significantly mitigated consequences of the initial account compromise.
Zero-Days Simply Aren’t Used in Many Cyberattacks And so Remain Uncommon Threats
The Uber attack is more representative of the type of cyberattack most organizations are likely to experience. While many different technologies and types of networks today create large attack surfaces for threat actors to exploit, EclecticIQ analysts observe the myriad unauthorized parties seeking to monetize stolen data still most commonly compromise networks relying on failures in basic information security practices rather than more complicated zero-day exploits. Beyond solid MFA application and enforcement, businesses of all sizes must practice multilayered security throughout their network by assuming initial compromise will occur in their threat model. Networks should incorporate zero-trust practices and integrated XDR capabilities to reach endpoints for immediate mitigation.
About EclecticIQ Intelligence & Research Team
EclecticIQ is a global provider of threat intelligence, hunting, and response technology and services. Headquartered in Amsterdam, the EclecticIQ Intelligence & Research Team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.
We would love to hear from you. Please send us your feedback by emailing us at firstname.lastname@example.org or fill in the EclecticIQ Audience Interest Survey to drive our research towards your priority area.
Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack.
TAXII v1 Discovery services: https://cti.eclecticiq.com/taxii/discovery
Please refer to our support page for guidance on how to access the feeds.
You might also be interested in:
Network Environment-Focused Conversations Needed in Approaches to Cyber Security
Emotet Downloader Document Uses Regsvr32 for Execution
AI Facial Recognition Used in Ukraine/Russia War Prone to Vulnerabilities