Security Experts:

Connect with us

Hi, what are you looking for?



Increase in Exploited Zero-Days Shows Broader Access to Vulnerabilities

The number of identified zero-day vulnerabilities being exploited has increased in 2019, revealing a broadened access to these security flaws, according to security firm FireEye. 

The number of identified zero-day vulnerabilities being exploited has increased in 2019, revealing a broadened access to these security flaws, according to security firm FireEye. 

FireEye research found that more zero-days were exploited last year than in any of the previous three years, while also observing that more tracked actors have gained access to such capabilities. 

Although not all zero-day exploitations could be attributed to a specific group, it appears that an increasing number of hackers has gained access to zero-days offered by companies that specialize in supplying offensive cyber capabilities. 

Furthermore, FireEye observed an increase in the number of zero-days used in attacks targeting the Middle East, and/or leveraged by groups with suspected ties to this region. 

“Going forward, we are likely to see a greater variety of actors using zero-days, especially as private vendors continue feeding the demand for offensive cyber weapons,” FireEye noted in a blog post

The use of zero-days among known threat groups has increased since 2015, with some notorious examples including Stealth Falcon/FruityArmor, SandCat, and BlackOasis, all of which have been targeting entities in the Middle East. 

The Stealth Falcon/FruityArmor espionage group, which is known for the targeting of journalists and activists, is believed to have used malware sold by Israeli software company NSO group. The SandCat group, which is supposedly linked to the Uzbekistan state intelligence, appears to have used NSO’s malware too, based on the leveraged zero-days. 

In 2016 and 2017, BlackOasis also showed frequent access to zero-day vulnerabilities. The group, FireEye says, appears to have acquired at least one zero-day from private company Gamma Group. 

Additionally, the security firm observed zero-day exploitation not attributed to tracked groups, such as the use of a zero-day in WhatsApp (CVE-2019-3568) to distribute spyware developed by NSO, the abuse of an Adobe Flash zero-day (CVE-2018-15982) to target a Russian healthcare organization, or the targeting of an Android zero-day (CVE-2019-2215) in October 2019 by NSO tools.

Espionage groups of major cyber powers too were observed exploiting zero-days to achieve their purposes. These include the China-linked APT3 (exploited CVE-2019-0703), North Korean group APT37 (targeted Adobe Flash vulnerability CVE-2018-4878), multiple Chinese groups (leveraged CVE-2018-0802 in a campaign against several industries in Europe, Russia, Southeast Asia, and Taiwan), and Russian groups APT28 and Turla (abused multiple zero-days in Microsoft Office). 

“In addition, we believe that some of the most dangerous state sponsored intrusion sets are increasingly demonstrating the ability to quickly exploit vulnerabilities that have been made public. In multiple cases, groups linked to these countries have been able to weaponize vulnerabilities and incorporate them into their operations, aiming to take advantage of the window between disclosure and patch application,” FireEye says. 

Financially-motivated threat actors too leverage zero-days in their operations, including FIN6, which was observed abusing a Windows Server 2019 use-after-free (CVE-2019-0859) in February 2019 (the group might have been leveraging the exploit since August 2018). 

The broadened access to zero-day capabilities is likely proof that more hackers are suspected customers of private companies. Such companies might be supplying a larger proportion of zero-days than before, and might be offering offensive capabilities to groups that have lower overall capability. 

While state groups will likely continue internal exploit discovery and development, more adversaries are expected to gain access to zero-days through private companies, and at a faster rate, FireEye says. 

Related: South Korea-Linked Hackers Targeted Chinese Government via VPN Zero-Day

Related: Mozilla Patches Firefox Zero-Day Exploited in Targeted Attacks

Related: App Found in Google Play Exploits Recent Android Zero-Day

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.