The number of identified zero-day vulnerabilities being exploited has increased in 2019, revealing a broadened access to these security flaws, according to security firm FireEye.
FireEye research found that more zero-days were exploited last year than in any of the previous three years, while also observing that more tracked actors have gained access to such capabilities.
Although not all zero-day exploitations could be attributed to a specific group, it appears that an increasing number of hackers has gained access to zero-days offered by companies that specialize in supplying offensive cyber capabilities.
Furthermore, FireEye observed an increase in the number of zero-days used in attacks targeting the Middle East, and/or leveraged by groups with suspected ties to this region.
“Going forward, we are likely to see a greater variety of actors using zero-days, especially as private vendors continue feeding the demand for offensive cyber weapons,” FireEye noted in a blog post.
The use of zero-days among known threat groups has increased since 2015, with some notorious examples including Stealth Falcon/FruityArmor, SandCat, and BlackOasis, all of which have been targeting entities in the Middle East.
The Stealth Falcon/FruityArmor espionage group, which is known for the targeting of journalists and activists, is believed to have used malware sold by Israeli software company NSO group. The SandCat group, which is supposedly linked to the Uzbekistan state intelligence, appears to have used NSO’s malware too, based on the leveraged zero-days.
In 2016 and 2017, BlackOasis also showed frequent access to zero-day vulnerabilities. The group, FireEye says, appears to have acquired at least one zero-day from private company Gamma Group.
Additionally, the security firm observed zero-day exploitation not attributed to tracked groups, such as the use of a zero-day in WhatsApp (CVE-2019-3568) to distribute spyware developed by NSO, the abuse of an Adobe Flash zero-day (CVE-2018-15982) to target a Russian healthcare organization, or the targeting of an Android zero-day (CVE-2019-2215) in October 2019 by NSO tools.
Espionage groups of major cyber powers too were observed exploiting zero-days to achieve their purposes. These include the China-linked APT3 (exploited CVE-2019-0703), North Korean group APT37 (targeted Adobe Flash vulnerability CVE-2018-4878), multiple Chinese groups (leveraged CVE-2018-0802 in a campaign against several industries in Europe, Russia, Southeast Asia, and Taiwan), and Russian groups APT28 and Turla (abused multiple zero-days in Microsoft Office).
“In addition, we believe that some of the most dangerous state sponsored intrusion sets are increasingly demonstrating the ability to quickly exploit vulnerabilities that have been made public. In multiple cases, groups linked to these countries have been able to weaponize vulnerabilities and incorporate them into their operations, aiming to take advantage of the window between disclosure and patch application,” FireEye says.
Financially-motivated threat actors too leverage zero-days in their operations, including FIN6, which was observed abusing a Windows Server 2019 use-after-free (CVE-2019-0859) in February 2019 (the group might have been leveraging the exploit since August 2018).
The broadened access to zero-day capabilities is likely proof that more hackers are suspected customers of private companies. Such companies might be supplying a larger proportion of zero-days than before, and might be offering offensive capabilities to groups that have lower overall capability.
While state groups will likely continue internal exploit discovery and development, more adversaries are expected to gain access to zero-days through private companies, and at a faster rate, FireEye says.