That latest cyberattack threatening your organization is likely coming from outside the corporate network. According to Mandiant’s M-Trends 2023 report, 63% of breaches came from an outside entity — a considerable rise from 47% the year before.
When it comes to how intruders are getting into the network, it depends on the organization’s location. Spearphishing is the top attack vector in Europe, while credential theft-based attacks are the number one type of attack in Asia, Kevin Mandia, Mandiant CEO, told an audience at RSA Conference 2023. In the United States, threat actors prefer to use vulnerabilities to gain access to the system.
“Right now, about 32% of the time, victim zero, when we know victim zero, it’s a vulnerability. Not a zero-day necessarily but a one-day, two-day,” Mandia said. That’s a worldwide viewpoint. In the U.S. alone, that rate is 38% of detected incidents.
While the number of zero-day vulnerabilities dropped from a high of 81 in 2021 to 55 in 2022, it is still nearly double the number from 2020, according to Mandiant’s research. Zero-day exploits are increasingly used by cyber crime gangs and nation-state actors, and we’ve only just begun to see the severity and wide-spreading reach of the damage.
In May 2023, for example, a Russian ransomware ring was accused of launching a zero-day attack through a flaw in a managed file transfer software called MOVEit Transfer. As is typical for a zero-day vulnerability, it is not a single company that is targeted or impacted, but rather the attack can affect any organization using the software. In this particular case, the ransomware spread, thanks to a SQL injection issue, has potentially hit hundreds of organizations, including federal government agencies, universities, banks and major health networks. In fact, both the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI “expect to see a large-scale exploitation of this service,” according to Security Boulevard.
Another zero-day attack discovered in May exploited a vulnerability in Microsoft Exchange. It is believed this attack was conducted by a Chinese espionage group. This particular attack spread through email campaigns, “with the email security appliances of hundreds of organizations getting hit,” according to Security Week. This fits in with another discovery by Mandiant — the most common vendors exploited are the big three in the tech world (Microsoft, Google and Apple) and China is a rising actor in zero-day exploits.
Progress Software, which operates MOVEit software, released two patches to fix the vulnerabilities. But this might not be the end of the need to patch. Threat actors continue to find and exploit vulnerabilities in the software.
And this leads to a point Mandia made in his RSA keynote address: You have to patch what you can, but also realize that not everything will be able to be patched. (It remains to be seen if the MOVEit vulnerability meets that latter concern.)
Overall, patch management needs to become a greater priority for organizations. As Mandia stated to the RSA audience, if your organization hasn’t identified and patched the zero-day vulnerabilities found in the past year, “someone else will find it for you.” And that someone else is likely to be a cyber crime group.
Patch management has long been a problem for organizations. One reason is the sheer volume of patches; in 2021, there were more than 20,000 vulnerabilities patched. That alone makes it increasingly difficult to keep up.
Even if it was easy to stay on top of all the patches, users tend to ignore them, thinking it’s no big deal to update their software in a couple of days (or weeks) after a patch is released. Too many users are simply unaware of the risks involved with poor patch management practices. To make things worse, it’s an area that often gets overlooked or given little attention in security awareness training. This is despite the Department of Homeland Security’s recommendation that critical patches be applied within 15 days of release.
That leads to another dilemma in patch management: what is actually critical? Many security teams have their own procedures in place before pushing a patch out to the organization at large. Sometimes patches are released so quickly that they are buggy or ineffective, resulting in more harm. IT teams want to test the patches internally first, and that may supersede a critical patch warning. There are also procedures in place to track patch deployments and ensure no device or system is missed.
To keep on top of patch management, IT and security teams also need to stay on top of zero-day vulnerabilities in the wild. CISA offers a document of known exploited vulnerabilities with descriptions of the potential threat and the actions to take to address the vulnerability.
But that’s just a start. As zero days continue to be a popular attack vector and a gateway for ransomware and other nefarious nation-state activities, organizations need to rethink their patch management processes. That can include restructuring deployment to apply patches gradually and monitor for problems, as well as more structured awareness training around the importance of patches. Improved visibility into devices used across the organization will also help ensure that nothing is being missed — a vital element for organizations with remote workers.
Zero-day attacks like the one on MOVEit will wreak havoc not on one organization but on many. With so many products in development, there is a seemingly infinite number of vulnerabilities possible, and coming up with patches for all of them in a timely manner may not be possible. But when the patch is available, deploy it as quickly as possible. Companies must set patch management as a higher priority because zero-day attacks aren’t going away anytime soon.
If you are interested in learning more about detection and response, vulnerability management or threat hunting, X-Force provides world-class proactive and reactive services to ensure your organization achieves complete preparedness for zero-day attacks. To learn how IBM X-Force can help you with anything regarding cybersecurity, including incident response, threat intelligence or offensive security services, schedule a meeting here:
IBM X-Force Scheduler
If you are experiencing cybersecurity issues or an incident, contact X-Force to help:
US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.
3 min read – As the adoption of generative AI (GenAI) soars, so too does the risk of insider threats. This puts even more pressure on businesses to rethink security and confidentiality policies. In just a few years, artificial intelligence (AI) has radically changed…
3 min read – United States water facilities, which include 150,000 public water systems, have become an increasingly high-risk target for cyber criminals in recent years. This rising threat has demanded more attention and policies focused on improving cybersecurity. Water and wastewater systems are…
4 min read – How many companies intentionally refuse to use AI to get their work done faster and more efficiently? Probably none: the advantages of AI are too great to deny. The benefits AI models offer to organizations are undeniable, especially for optimizing…
4 min read – In an increasingly digital world, companies continuously face the threat of cyberattacks. Current advances in artificial intelligence (AI) promise significant improvements in detecting and defending against such threats.However, it is no secret that attackers are increasingly using AI. Cyber criminals leverage AI and machine learning to optimize and automate attacks. AI-driven malware can quickly adapt to new security measures and exploit vulnerabilities in real time. These AI tools enable cyber criminals to scale their attacks and employ highly complex methods…
3 min read – United States water facilities, which include 150,000 public water systems, have become an increasingly high-risk target for cyber criminals in recent years. This rising threat has demanded more attention and policies focused on improving cybersecurity.Water and wastewater systems are one of the 16 critical infrastructures in the U.S. The definition for inclusion in this category is that the industry must be so crucial to the United States that “the incapacity or destruction of such systems and assets would have a…
2 min read – We recently published an article about the importance of security clearances for roles across various sectors, particularly those associated with national security and defense.But obtaining a clearance is only part of the journey. Maintaining and potentially expanding your clearance over time requires continued diligence and adherence to stringent guidelines.This brief explainer discusses the duration of security clearances, the recurring processes involved in maintaining them and possibilities for expansion, as well as the economic benefits of these credentialed positions.Duration of security…
Analysis and insights from hundreds of the brightest minds in the cybersecurity industry to help you prove compliance, grow business and stop threats.
