Light Dark
September 5, 2023 By Sue Poremba 4 min read
Risk Management
Security Services

That latest cyberattack threatening your organization is likely coming from outside the corporate network. According to Mandiant’s M-Trends 2023 report, 63% of breaches came from an outside entity — a considerable rise from 47% the year before.

When it comes to how intruders are getting into the network, it depends on the organization’s location. Spearphishing is the top attack vector in Europe, while credential theft-based attacks are the number one type of attack in Asia, Kevin Mandia, Mandiant CEO, told an audience at RSA Conference 2023. In the United States, threat actors prefer to use vulnerabilities to gain access to the system.

“Right now, about 32% of the time, victim zero, when we know victim zero, it’s a vulnerability. Not a zero-day necessarily but a one-day, two-day,” Mandia said. That’s a worldwide viewpoint. In the U.S. alone, that rate is 38% of detected incidents.

Zero-day attacks

While the number of zero-day vulnerabilities dropped from a high of 81 in 2021 to 55 in 2022, it is still nearly double the number from 2020, according to Mandiant’s research. Zero-day exploits are increasingly used by cyber crime gangs and nation-state actors, and we’ve only just begun to see the severity and wide-spreading reach of the damage.

In May 2023, for example, a Russian ransomware ring was accused of launching a zero-day attack through a flaw in a managed file transfer software called MOVEit Transfer. As is typical for a zero-day vulnerability, it is not a single company that is targeted or impacted, but rather the attack can affect any organization using the software. In this particular case, the ransomware spread, thanks to a SQL injection issue, has potentially hit hundreds of organizations, including federal government agencies, universities, banks and major health networks. In fact, both the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI “expect to see a large-scale exploitation of this service,” according to Security Boulevard.

Another zero-day attack discovered in May exploited a vulnerability in Microsoft Exchange. It is believed this attack was conducted by a Chinese espionage group. This particular attack spread through email campaigns, “with the email security appliances of hundreds of organizations getting hit,” according to Security Week. This fits in with another discovery by Mandiant — the most common vendors exploited are the big three in the tech world (Microsoft, Google and Apple) and China is a rising actor in zero-day exploits.

Patching zero-day vulnerabilities

Progress Software, which operates MOVEit software, released two patches to fix the vulnerabilities. But this might not be the end of the need to patch. Threat actors continue to find and exploit vulnerabilities in the software.

And this leads to a point Mandia made in his RSA keynote address: You have to patch what you can, but also realize that not everything will be able to be patched. (It remains to be seen if the MOVEit vulnerability meets that latter concern.)

Overall, patch management needs to become a greater priority for organizations. As Mandia stated to the RSA audience, if your organization hasn’t identified and patched the zero-day vulnerabilities found in the past year, “someone else will find it for you.” And that someone else is likely to be a cyber crime group.

Patch management fails

Patch management has long been a problem for organizations. One reason is the sheer volume of patches; in 2021, there were more than 20,000 vulnerabilities patched. That alone makes it increasingly difficult to keep up.

Even if it was easy to stay on top of all the patches, users tend to ignore them, thinking it’s no big deal to update their software in a couple of days (or weeks) after a patch is released. Too many users are simply unaware of the risks involved with poor patch management practices. To make things worse, it’s an area that often gets overlooked or given little attention in security awareness training. This is despite the Department of Homeland Security’s recommendation that critical patches be applied within 15 days of release.

That leads to another dilemma in patch management: what is actually critical? Many security teams have their own procedures in place before pushing a patch out to the organization at large. Sometimes patches are released so quickly that they are buggy or ineffective, resulting in more harm. IT teams want to test the patches internally first, and that may supersede a critical patch warning. There are also procedures in place to track patch deployments and ensure no device or system is missed.

Keeping up with the zero days

To keep on top of patch management, IT and security teams also need to stay on top of zero-day vulnerabilities in the wild. CISA offers a document of known exploited vulnerabilities with descriptions of the potential threat and the actions to take to address the vulnerability.

But that’s just a start. As zero days continue to be a popular attack vector and a gateway for ransomware and other nefarious nation-state activities, organizations need to rethink their patch management processes. That can include restructuring deployment to apply patches gradually and monitor for problems, as well as more structured awareness training around the importance of patches. Improved visibility into devices used across the organization will also help ensure that nothing is being missed — a vital element for organizations with remote workers.

Zero-day attacks like the one on MOVEit will wreak havoc not on one organization but on many. With so many products in development, there is a seemingly infinite number of vulnerabilities possible, and coming up with patches for all of them in a timely manner may not be possible. But when the patch is available, deploy it as quickly as possible. Companies must set patch management as a higher priority because zero-day attacks aren’t going away anytime soon.

If you are interested in learning more about detection and response, vulnerability management or threat hunting, X-Force provides world-class proactive and reactive services to ensure your organization achieves complete preparedness for zero-day attacks. To learn how IBM X-Force can help you with anything regarding cybersecurity, including incident response, threat intelligence or offensive security services, schedule a meeting here:

IBM X-Force Scheduler

If you are experiencing cybersecurity issues or an incident, contact X-Force to help:

US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

 |  |  |  | 
Sue Poremba

More from Risk Management
April 24, 2024

Researchers develop malicious AI ‘worm’ targeting generative AI systems

2 min read - Researchers have created a new, never-seen-before kind of malware they call the "Morris II" worm, which uses popular AI services to spread itself, infect new systems and steal data. The name references the original Morris computer worm that wreaked havoc on the internet in 1988.The worm demonstrates the potential dangers of AI security threats and creates a new urgency around securing AI models.New worm utilizes adversarial self-replicating promptThe researchers from Cornell Tech, the Israel Institute of Technology and Intuit, used what’s…

April 17, 2024

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

April 16, 2024

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature