New and Noteworthy: Unknown Zero-day Vulnerabilities Will Almost Certainly Continue to Increase Year-on-Year Because of Stockpiling And Technology Expansion.
EclecticIQ analysts assess zero-day vulnerabilities, which occur when a vulnerability in a computer system is discovered before an associated patch is released, will continue to increase if for no reason other than because technology will also grow in terms of both quantity and capability. Stockpiling of undisclosed vulnerabilities by State actors helps ensure some will not be disclosed unless a 3rd party discovers them. According to a database that tracks zero-day vulnerabilities, 1011 zero-day vulnerabilities have been published so far in 2022. This continues a trend of increases each year; 1604 zero-days were published in 2021, 1453 were published in 2020, and 1045 in 2019 (1).
A study of zero-day vulnerabilities and exploits spanning 2002-2016 found zero-day associated exploits have an average useful life expectancy of 6.9 years (2). Another study of over 46,000 vulnerabilities found approximately 80% had a working exploit developed by threat actors on or before the date of disclosure. (3) Both studies confirm open-source products had a slightly longer average exploit shelf-life comparatively of 7.32 for open-source vs 6.9 years for non-open-source software (3). Threat actors took between 6-37 days to develop exploits tied to zero-day vulnerabilities for nearly all vulnerabilities studied, with 71% of all exploits (zero-day and non) developed in under a month.
The rate of public, 3rd-party discovery for zero-days out of known stockpiles (known, but publicly not disclosed) was very low at approximately 5.7% per year. (2) Expanding public bug bounty programs could possibly help reduce unknown vulnerability stockpiles by further incentivizing more widespread participation in public 3rd-party discovery for zero-days, to target boosting the average discovery rate beyond 5.7% per year.
Malware: Encryption is Not a Panacea for Cyberattacks; Layered Security Features Help Provide Additional Security
Threat intelligence demonstrates many industries are at high-risk of increasingly sophisticated spyware attacks. Journalists generally practice increased operational security compared to the general population to protect themselves from cyberattacks. Nonetheless, recent reporting about the Pegasus malware used by the NSO Group and other malware targeting US journalists (4) shows multiple well-developed spyware families are now targeting journalists and others globally. The fact that they are being targeted successfully at increased rates demonstrates that simply using encryption is not enough to protect from cyberattacks in high-stakes situations.
One reason newer malware is successful against encrypted applications is because it is able to penetrate systems deeper into the OS level to subvert application encryption keys. One of the best routes for increasing operational security in these situations is to give end-users more control and awareness of their personal device security at the Operating System level, and not just within a particular application. The first release of Lockdown Mode from Apple attempts to help increase information security in sensitive situations (5). Lockdown Mode helps to silo applications that threat actors might try to exploit making it much more difficult to gain deeper access to the device and its information. This is certainly not a panacea for cyberattacks, but this sort of layered security-oriented feature in end-user device OSs is a step in the right direction toward more comprehensive security that is better oriented to today's threats. It sets a good security design example for other producers by going beyond simply encrypting a data stream. Propagation of these types of security-focused features in other devices could greatly reduce the attack surface from cyberattacks and increase privacy of information transiting personal devices.
About EclecticIQ Threat Research
EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.
We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com or fill in the EclecticIQ Audience Interest Survey to drive our research towards your priority area.
Structured Data
Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack.
TAXII v1 Discovery services: https://cti.eclecticiq.com/taxii/discovery
Please refer to our support page for guidance on how to access the feeds.
Appendix
- https://www.zerodayinitiative.com/advisories/published/
- https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf
- https://www.cse.msu.edu/~alexliu/publications/VulnerabilityDB/VulnerabilityDB_ICSE2012.pdf
- https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists
- https://telecoms.com/516315/apple-beefs-up-device-security-as-spy-agencies-warn-of-increasing-chinese-threats/