There were more zero-days exploited in 2019 than any of the previous three years, according to telemetry from FireEye Mandiant. The firm said that’s likely due to more zero-days coming up for sale by cyber-weapons dealers like NSO Group; a growing commercial market has made such tools much more widely available.
While the identification and exploitation of zero-day vulnerabilities has historically been a calling card for only the most sophisticated cybercriminals, a wider range of threat actors are now gaining access to exploits for undocumented, unpatched bugs simply by buying them – no deep security expertise required.
“A wider range of tracked actors appear to have gained access to these capabilities,” FireEye researchers noted in a blog post, published on Monday. “[This includes] a significant increase over time in the number of zero-days leveraged by groups suspected to be customers of companies that supply offensive cyber-capabilities.”
One of the zero-day purveyors that may have done a brisk trade in 2019 was the controversial Israeli firm known as NSO Group. The private company has been criticized in the past for selling zero-day exploits to “authorized governments” who may have launched targeted attacks against human rights activists and journalists. That’s a charge it denies, arguing that it can be a force for good.
In its analysis, FireEye pointed out that the FruityArmor APT (a.k.a. Stealth Falcon) continued to attack journalists and activists in the Middle East with targeted espionage campaigns over the course of the year; and from 2016 to 2019, this group used more zero-days than any other, according to FireEye’s analysis. The security firm also said that the APT has been known to buy zero-days from NSO Group, including three iOS zero-days in 2016 reported by Lookout.
Also, the SandCat APT, which Kaspersky has said is likely affiliated with Uzbekistan state intelligence, was observed using a Windows kernel bug zero-day (CVE-2019-0859) that opened the door for full system takeover of victims.
“This group may [also] have acquired their zero-days by purchasing malware from private companies such as NSO Group, as the zero-days used in SandCat operations were also used in Stealth Falcon operations, and it is unlikely that these distinct activity sets independently discovered the same…zero-days,” FireEye noted. SandCat and FruityArmor have been seen using the same exploits at other points in 2019 as well.
Aside from involvement with nation-state-backed groups, 2019 also saw a zero-day exploit in WhatsApp (CVE-2019-3568) reportedly used to distribute spyware developed by NSO Group; and, an Android zero-day vulnerability (CVE-2019-2215) also was seen by Google researchers being exploited in the wild in October. Project Zero member Maddie Stone wrote in a technical post at the time that there are indicators that the exploit is “allegedly being used or sold by the NSO Group.”
And finally, financially motivated groups have been seen potentially leveraging purchased zero-days in their operations.
“In May 2019, we reported that FIN6 used a Windows server 2019 use-after-free zero-day (CVE-2019-0859) in a targeted intrusion in February 2019,” according to the analysis. It added that reports at the time noted that the group potentially acquired the zero-day from a criminal underground actor known as “BuggiCorp.” However, “we have not identified direct evidence linking this actor to this exploit’s development or sale,” according to FireEye.
“We surmise that access to zero-day capabilities is becoming increasingly commodified based on the proportion of zero-days exploited in the wild by suspected customers of private companies,” FireEye concluded. “Private companies are likely creating and supplying a larger proportion of zero-days than they have in the past, resulting in a concentration of zero-day capabilities among highly resourced groups.”
Adam Bauer, senior staff security intelligence engineer at Lookout, told Threatpost that his firm has seen the same trend line.
“In 2019, Lookout researchers were able to obtain leaked conversations between a government group tasked with building surveillance capabilities and a number of private-sector vendors selling zero-day exploits for both mobile devices and desktop computers,” he said. “These conversations confirmed that zero-day exploits were readily available for purchase.”
He added, “there is an important distinction here, which is that the ability to discover a zero-day still requires a highly-skilled adversary, but the ability to exploit that zero-day is definitely available to the highest bidder.”
Chris Morales, head of security analytics at Vectra, said that the advancement of development tools could also be fueling the phenomenon.
“The FireEye advisory mentions that private companies are likely creating and supplying a larger proportion of zero-days than they have in the past,” he told Threatpost. “I wonder how much the current increase in available zero-day is related to the use of machine learning for automated fuzzing? Fuzzing is really hard to do with a high cost of overhead of time and skill. That is why historically attackers have reverted to the simple easy stuff which usually works. Zero-days had a high cost and therefore high value.”
However, automated and intelligent fuzzing combined with the fast turnaround of developing exploits for newly discovered vulnerabilities could change the game, he added.
“The outcome would be a lowering of the cost of zero-days, making them more likely to be used more frequently,” he said. “Is that what we are seeing here? Scale of economy? We knew it was always coming. Looks like it might be here.”
Do you suffer from Password Fatigue? On Wednesday April 8 at 2 p.m. ET join Duo Security and Threatpost as we explore a passwordless future. This FREE webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We’ll also explore how teaming with Microsoft can reduced reliance on passwords. Please register here and dare to ask, “Are passwords overrated?” in this sponsored webinar.