beebright - stock.adobe.com

Cyber spies, not cyber criminals, behind most zero-day exploitation

Analysis from Google has found that zero-day vulnerabilities are much more heavily exploited for espionage purposes than for financially motivated cyber crime

Threat actors operating at the behest of government backers are significantly more likely to be behind the exploitation of newly disclosed zero-day vulnerabilities than financially motivated cyber criminals, according to analysis jointly produced by Google’s Threat Analysis Group (TAG) and Google Cloud’s Mandiant.

TAG and Mandiant observed 97 zero-days exploited in the wild during the course of 2023, up from 62 in 2022, but fewer than the 106 observed in 2021.

The analysts said that of the 58 zero-days for which they could attribute the threat actor’s motivations, 48 of them were attributable to government-backed advanced persistent threat (APT) groups conducting espionage activities, while only 10 were attributable to financially motivated cyber criminals, generally ransomware gangs.

Among the four major state hacking operations perceived as hostile to the UK, US and other Western countries – China, Iran, North Korea and Russia – it was Chinese operators who led the way, exploiting almost double the number of zero-days last year than they did in 2022, and accounting for a little over 40% of all attributable exploitation.

Google’s warning over Chinese cyber activity comes just days after the British and American governments sanctioned multiple entities, and issued new warnings over the targeting of politicians and businesses by Chinese hackers intending to steal state secrets and intellectual property.

Its findings suggest that when prioritising response to vulnerability disclosures, those organisations considered more at risk of malicious state interference, such as government bodies, universities and research institutions, and operators of critical national infrastructure (CNI), should pay particularly close attention.

“Consistent with the two preceding years, we attributed more government-backed exploitation of zero-day vulnerabilities to PRC [People’s Republic of China] government-backed attackers than any other state,” wrote the report’s authors, Maddie Stone, Jared Semrau and James Sadowski.

“Mandiant reported extensively on several widespread exploitation campaigns, including UNC4841’s exploitation of two vulnerabilities in Barracuda’s Email Security Gateway – CVE-2023-2868 and CVE-2023-7102.

“The actor showed specific interest in information of political or strategic interest to the PRC government, targeting global governments and organisations in high-priority industries,” they said. “Further, we observed specific interest in email domains and users from Ministries of Foreign Affairs of ASEAN member nations, as well as individuals within foreign trade offices and academic research organisations in Taiwan and Hong Kong.”

Recent zero-days

Other zero-days of particular interest to Chinese cyber spies in recent months have included CVE-2022-41328 in Fortinet FortiOS, which was chained with a VMware authentication bypass vulnerability, CVE-2023-20867, by a group tracked by Mandiant as UNC3886. UNC3886 also heavily exploited another VMware issue, CVE-2023-34048, as a precursor to exploiting the authentication bypass flaw.

Stone, Semrau and Sadowski noted that in both instances, exploitation of the two vulnerability chains dated back well over 12 months – and to 2021 in the second case – demonstrating how Chinese threat actors are highly adept both at discovering and exploiting new zero-days, and successfully keeping them under wraps for a significant length of time.

The focus on China should not distract from the activities of Russian and North Korean cyber espionage activity – which was not insignificant – and 2023 was also notable for the emergence of a Belarusian APT group, known as Winter Vivern. This is the first time a Belarusian actor has been observed using zero-days, although given Belarus is essentially a vassal state of Russia, it’s hard to state to what degree Winter Vivern is operating independently.

Looking to financially motivated cyber crime, which accounted for 17% of zero-day exploitation – lower than in 2022 – one group, FIN11, accounted for almost a third of the financially motivated exploitation seen last year, having invested heavily in zero-days over a number of years.

FIN11 is linked to multiple prolific ransomware operations, notably Clop/Cl0p and related, antecedent operators, but other gangs, including Akira, LockBit and Nokoyawa, are also – or have been – heavily involved in zero-day exploitation.

“Given the extensive resources invested into identifying and exploiting zero-day vulnerabilities, financially motivated threat actors highly likely prioritise the use of vulnerabilities that provide efficient access to targeted organisations,” wrote Stone, Semrau and Sadowski.

“FIN11 has focused heavily on file transfer applications which provide efficient and effective access to sensitive victim data without the need for lateral network movement, streamlining the steps for exfiltration and monetisation,” they said. “Subsequently, the large revenues generated from mass extortion or ransomware campaigns likely fuels additional investment by these groups in new vulnerabilities.”

Commercial spyware operations

One of the big cyber stories of the past three years has been the exposure of the activities of commercial spyware vendors (CSVs), legitimate companies that develop and sell cyber surveillance tools to governments.

The most noteworthy CSV to have emerged in the 2020s is the now-disgraced Israel-based NSO Group, which targets Apple devices running the iOS operating system, and whose software was implicated in the murder of Saudi journalist Jamal Khashoggi, as well as many other unsavoury activities by various governments, including Western ones.

As the backer of the rival Android mobile operating system, Google has a particular interest in standing up to CSVs, and the TAG/Mandiant data showed that like state-backed APTs, CSVs were ultimately behind over 40% of zero-day exploitation activity in 2023, and over 75% of all activity targeting its products and Android ecosystem devices, and 55% targeting iOS and Safari.

“The commercial surveillance industry has emerged to fill a lucrative market niche: selling cutting-edge technology to governments around the world that exploit vulnerabilities in consumer devices and applications to surreptitiously install spyware on individuals’ devices,” wrote the report’s authors. “By doing so, CSVs are enabling the proliferation of dangerous hacking tools.

“CSVs operate with deep technical expertise to offer ‘pay-to-play’ tools that bundle an exploit chain designed to get past the defences of a selected device, the spyware and the necessary infrastructure, all to collect the desired data from an individual’s device,” they said.

“Government customers who purchase the tools want to collect various types of data on their highest value targets, including passwords, SMS messages, emails, location, phone calls, and even record audio and video. In order to collect this data, CSVs often develop spyware to target mobile devices. Notably, we could not attribute any Windows zero-days to CSVs.”

Zero-days in 2024

Looking to the coming months, the TAG/Mandiant team assesses that the pace of zero-day discovery and exploitation will remain elevated above pre-Covid levels, but regardless of how many emerge, it’s clear the security industry is collectively having an impact, with user platform vendors – Apple, Google and Microsoft among them – having made notable investments that do seem to be having an impact on the types and number of zero-days “available” for exploitation.

However, they noted, this may ultimately just lead to threat actors throwing a larger net and targeting more products and services for attention – in particular those produced by cyber security companies. Recent trends, including attacks orchestrated through Barracuda, Cisco, Ivanti and Trend Micro vulnerabilities, seem to demonstrate that this is already happening. The researchers also observed an uptick in exploitation of zero-days in components drawn from third-party libraries: further evidence of this widening focus.

“We anticipate that the growth we have seen across the last few years will likely continue, as vendors continue to make other avenues of compromise less accessible and as threat actors focus increasing resources on zero-day exploitation,” they said. “The wider proliferation of technology has made zero-day exploitation more likely as well: simply put, more technology offers more opportunity for exploitation.

“While there is cause to be optimistic, it is incumbent on the industry as a whole to continue learning these lessons and do the things we need in order to be successful: share lessons learned on how to patch smarter and not harder, disclose activities that can have impacts on users and enterprises alike, and be prepared and flexible enough to act quickly to shorten the lifespan and viability of these exploits.”

Read more on Hackers and cybercrime prevention