That latest cyberattack threatening your organization is likely coming from outside the corporate network. According to Mandiant’s M-Trends 2023 report, 63% of breaches came from an outside entity — a considerable rise from 47% the year before.
When it comes to how intruders are getting into the network, it depends on the organization’s location. Spearphishing is the top attack vector in Europe, while credential theft-based attacks are the number one type of attack in Asia, Kevin Mandia, Mandiant CEO, told an audience at RSA Conference 2023. In the United States, threat actors prefer to use vulnerabilities to gain access to the system.
“Right now, about 32% of the time, victim zero, when we know victim zero, it’s a vulnerability. Not a zero-day necessarily but a one-day, two-day,” Mandia said. That’s a worldwide viewpoint. In the U.S. alone, that rate is 38% of detected incidents.
While the number of zero-day vulnerabilities dropped from a high of 81 in 2021 to 55 in 2022, it is still nearly double the number from 2020, according to Mandiant’s research. Zero-day exploits are increasingly used by cyber crime gangs and nation-state actors, and we’ve only just begun to see the severity and wide-spreading reach of the damage.
In May 2023, for example, a Russian ransomware ring was accused of launching a zero-day attack through a flaw in a managed file transfer software called MOVEit Transfer. As is typical for a zero-day vulnerability, it is not a single company that is targeted or impacted, but rather the attack can affect any organization using the software. In this particular case, the ransomware spread, thanks to a SQL injection issue, has potentially hit hundreds of organizations, including federal government agencies, universities, banks and major health networks. In fact, both the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI “expect to see a large-scale exploitation of this service,” according to Security Boulevard.
Another zero-day attack discovered in May exploited a vulnerability in Microsoft Exchange. It is believed this attack was conducted by a Chinese espionage group. This particular attack spread through email campaigns, “with the email security appliances of hundreds of organizations getting hit,” according to Security Week. This fits in with another discovery by Mandiant — the most common vendors exploited are the big three in the tech world (Microsoft, Google and Apple) and China is a rising actor in zero-day exploits.
Patching zero-day vulnerabilities
Progress Software, which operates MOVEit software, released two patches to fix the vulnerabilities. But this might not be the end of the need to patch. Threat actors continue to find and exploit vulnerabilities in the software.
And this leads to a point Mandia made in his RSA keynote address: You have to patch what you can, but also realize that not everything will be able to be patched. (It remains to be seen if the MOVEit vulnerability meets that latter concern.)
Overall, patch management needs to become a greater priority for organizations. As Mandia stated to the RSA audience, if your organization hasn’t identified and patched the zero-day vulnerabilities found in the past year, “someone else will find it for you.” And that someone else is likely to be a cyber crime group.
Patch management fails
Patch management has long been a problem for organizations. One reason is the sheer volume of patches; in 2021, there were more than 20,000 vulnerabilities patched. That alone makes it increasingly difficult to keep up.
Even if it was easy to stay on top of all the patches, users tend to ignore them, thinking it’s no big deal to update their software in a couple of days (or weeks) after a patch is released. Too many users are simply unaware of the risks involved with poor patch management practices. To make things worse, it’s an area that often gets overlooked or given little attention in security awareness training. This is despite the Department of Homeland Security’s recommendation that critical patches be applied within 15 days of release.
That leads to another dilemma in patch management: what is actually critical? Many security teams have their own procedures in place before pushing a patch out to the organization at large. Sometimes patches are released so quickly that they are buggy or ineffective, resulting in more harm. IT teams want to test the patches internally first, and that may supersede a critical patch warning. There are also procedures in place to track patch deployments and ensure no device or system is missed.
Keeping up with the zero days
To keep on top of patch management, IT and security teams also need to stay on top of zero-day vulnerabilities in the wild. CISA offers a document of known exploited vulnerabilities with descriptions of the potential threat and the actions to take to address the vulnerability.
But that’s just a start. As zero days continue to be a popular attack vector and a gateway for ransomware and other nefarious nation-state activities, organizations need to rethink their patch management processes. That can include restructuring deployment to apply patches gradually and monitor for problems, as well as more structured awareness training around the importance of patches. Improved visibility into devices used across the organization will also help ensure that nothing is being missed — a vital element for organizations with remote workers.
Zero-day attacks like the one on MOVEit will wreak havoc not on one organization but on many. With so many products in development, there is a seemingly infinite number of vulnerabilities possible, and coming up with patches for all of them in a timely manner may not be possible. But when the patch is available, deploy it as quickly as possible. Companies must set patch management as a higher priority because zero-day attacks aren’t going away anytime soon.
If you are interested in learning more about detection and response, vulnerability management or threat hunting, X-Force provides world-class proactive and reactive services to ensure your organization achieves complete preparedness for zero-day attacks. To learn how IBM X-Force can help you with anything regarding cybersecurity, including incident response, threat intelligence or offensive security services, schedule a meeting here:
IBM X-Force Scheduler
If you are experiencing cybersecurity issues or an incident, contact X-Force to help:
US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.