September 5, 2023 By Sue Poremba 4 min read

That latest cyberattack threatening your organization is likely coming from outside the corporate network. According to Mandiant’s M-Trends 2023 report, 63% of breaches came from an outside entity — a considerable rise from 47% the year before.

When it comes to how intruders are getting into the network, it depends on the organization’s location. Spearphishing is the top attack vector in Europe, while credential theft-based attacks are the number one type of attack in Asia, Kevin Mandia, Mandiant CEO, told an audience at RSA Conference 2023. In the United States, threat actors prefer to use vulnerabilities to gain access to the system.

“Right now, about 32% of the time, victim zero, when we know victim zero, it’s a vulnerability. Not a zero-day necessarily but a one-day, two-day,” Mandia said. That’s a worldwide viewpoint. In the U.S. alone, that rate is 38% of detected incidents.

Zero-day attacks

While the number of zero-day vulnerabilities dropped from a high of 81 in 2021 to 55 in 2022, it is still nearly double the number from 2020, according to Mandiant’s research. Zero-day exploits are increasingly used by cyber crime gangs and nation-state actors, and we’ve only just begun to see the severity and wide-spreading reach of the damage.

In May 2023, for example, a Russian ransomware ring was accused of launching a zero-day attack through a flaw in a managed file transfer software called MOVEit Transfer. As is typical for a zero-day vulnerability, it is not a single company that is targeted or impacted, but rather the attack can affect any organization using the software. In this particular case, the ransomware spread, thanks to a SQL injection issue, has potentially hit hundreds of organizations, including federal government agencies, universities, banks and major health networks. In fact, both the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI “expect to see a large-scale exploitation of this service,” according to Security Boulevard.

Another zero-day attack discovered in May exploited a vulnerability in Microsoft Exchange. It is believed this attack was conducted by a Chinese espionage group. This particular attack spread through email campaigns, “with the email security appliances of hundreds of organizations getting hit,” according to Security Week. This fits in with another discovery by Mandiant — the most common vendors exploited are the big three in the tech world (Microsoft, Google and Apple) and China is a rising actor in zero-day exploits.

Patching zero-day vulnerabilities

Progress Software, which operates MOVEit software, released two patches to fix the vulnerabilities. But this might not be the end of the need to patch. Threat actors continue to find and exploit vulnerabilities in the software.

And this leads to a point Mandia made in his RSA keynote address: You have to patch what you can, but also realize that not everything will be able to be patched. (It remains to be seen if the MOVEit vulnerability meets that latter concern.)

Overall, patch management needs to become a greater priority for organizations. As Mandia stated to the RSA audience, if your organization hasn’t identified and patched the zero-day vulnerabilities found in the past year, “someone else will find it for you.” And that someone else is likely to be a cyber crime group.

Patch management fails

Patch management has long been a problem for organizations. One reason is the sheer volume of patches; in 2021, there were more than 20,000 vulnerabilities patched. That alone makes it increasingly difficult to keep up.

Even if it was easy to stay on top of all the patches, users tend to ignore them, thinking it’s no big deal to update their software in a couple of days (or weeks) after a patch is released. Too many users are simply unaware of the risks involved with poor patch management practices. To make things worse, it’s an area that often gets overlooked or given little attention in security awareness training. This is despite the Department of Homeland Security’s recommendation that critical patches be applied within 15 days of release.

That leads to another dilemma in patch management: what is actually critical? Many security teams have their own procedures in place before pushing a patch out to the organization at large. Sometimes patches are released so quickly that they are buggy or ineffective, resulting in more harm. IT teams want to test the patches internally first, and that may supersede a critical patch warning. There are also procedures in place to track patch deployments and ensure no device or system is missed.

Keeping up with the zero days

To keep on top of patch management, IT and security teams also need to stay on top of zero-day vulnerabilities in the wild. CISA offers a document of known exploited vulnerabilities with descriptions of the potential threat and the actions to take to address the vulnerability.

But that’s just a start. As zero days continue to be a popular attack vector and a gateway for ransomware and other nefarious nation-state activities, organizations need to rethink their patch management processes. That can include restructuring deployment to apply patches gradually and monitor for problems, as well as more structured awareness training around the importance of patches. Improved visibility into devices used across the organization will also help ensure that nothing is being missed — a vital element for organizations with remote workers.

Zero-day attacks like the one on MOVEit will wreak havoc not on one organization but on many. With so many products in development, there is a seemingly infinite number of vulnerabilities possible, and coming up with patches for all of them in a timely manner may not be possible. But when the patch is available, deploy it as quickly as possible. Companies must set patch management as a higher priority because zero-day attacks aren’t going away anytime soon.

If you are interested in learning more about detection and response, vulnerability management or threat hunting, X-Force provides world-class proactive and reactive services to ensure your organization achieves complete preparedness for zero-day attacks. To learn how IBM X-Force can help you with anything regarding cybersecurity, including incident response, threat intelligence or offensive security services, schedule a meeting here:

IBM X-Force Scheduler

If you are experiencing cybersecurity issues or an incident, contact X-Force to help:

US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from Risk Management

Digital solidarity vs. digital sovereignty: Which side are you on?

4 min read - The landscape of international cyber policy continues to evolve rapidly, reflecting the dynamic nature of technology and global geopolitics. Central to this evolution are two competing concepts: digital solidarity and digital sovereignty.The U.S. Department of State, through its newly released International Cyberspace and Digital Policy Strategy, has articulated a clear preference for digital solidarity, positioning it as a counterpoint to the protectionist approach of digital sovereignty.What are the main differences between these two concepts, and why does it matter? Let’s…

A decade of global cyberattacks, and where they left us

5 min read - The cyberattack landscape has seen monumental shifts and enormous growth in the past decade or so.I spoke to Michelle Alvarez, X-Force Strategic Threat Analysis Manager at IBM, who told me that the most visible change in cybersecurity can be summed up in one word: scale. A decade ago, “'mega-breaches' were relatively rare, but now feel like an everyday occurrence.”A summary of the past decade in global cyberattacksThe cybersecurity landscape has been impacted by major world events, especially in recent years.…

It all adds up: Pretexting in executive compromise

4 min read - Executives hold the keys to the corporate kingdom. If attackers can gain the trust of executives using layered social engineering techniques, they may be able to access sensitive corporate information such as intellectual property, financial data or administrative control logins and passwords.While phishing remains the primary pathway to executive compromise, increasing C-suite awareness of this risk requires a more in-depth approach from attackers: Pretexting.What is pretexting?Pretexting is the use of a fabricated story or narrative — a “pretext” — to…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today