Zero-day attacks continue to escalate, supply chain mass compromise events are increasing; and we’re still not making adequate use of MFA. There’s no immediate sign of improvement, suggests Rapid7.
The purpose of detail in security vendor reports is to justify the takeaways. It is the takeaways that are important to us. To better understand them, SecurityWeek spoke to Caitlin Condon, director of vulnerability management at Rapid7, and co-author of the firm’s 2024 Attack Intelligence Report (PDF).
Two key takeaways from 2023 are the continuing rise in zero-day exploits, and the growth in mass compromise events – often combined. “For the second time in three years, we saw an increase in mass compromise events,” said Condon. MOVEit (exploited in late May, known in early June 2023), Barracuda ESG (probably first exploited in 2022, but exploding in 2023), and Citrix Bleed (exploited from August 2023) immediately come to mind. This is already known – supply chain attacks have been increasing for many years.
But, added Condon, “We saw more of those events arise from zero-day vulnerabilities than from n-day vulnerabilities. So more than half of new widespread threat CVEs through the beginning of 2024 were exploited before vendors had any chance to implement fixes, and certainly before anybody had any chance to patch them. That trend has been pretty consistent for the past three years.”
The implication is clear. Mass supply chain compromises through indefensible zero-day vulnerabilities will likely continue through 2024. We can only attempt to improve our defenses, because we cannot expect a decrease in zero-day vulnerabilities – that supply will not diminish.
To understand the increasing availability of zero-days we should consider the growing professionalism of the cybercriminal gangs, and compare this to the legitimate business world. Vendors are effectively buying zero-days from bug bounty hunters so they can fix them before they are exploited. (There may be a codicil here that we’ll come back to.) Consider the huge success that organizations like Bugcrowd and HackerOne have had in finding these bugs.
Criminals can do the same. “We can assume that criminal hackers can find a similar volume,” said Condon. “It works because it’s very profitable for both the gangs and the supply chains that feed them. If you’re a ransomware gang with a few successes, you have a substantial amount of cash in hand to buy a zero-day exploit, or ten or twenty, off the dark web.”
With that level of available resources, she continued, “You don’t necessarily need to develop zero-days yourself – although I’m sure they probably also do that.”
Back to that possible codicil. It is not unknown among whitehat bounty hunters to believe that the attraction of bounty programs is for vendors to ‘buy’ and hide vulnerabilities. Payment is usually conditional on the hunter agreeing to a non-disclosure clause. Deep in the Rapid7 report is an unexpected paragraph.
“In our experience, it’s been increasingly common for vendors to silently patch security issues, withholding advisories and CVE descriptions until days or weeks later. Even then, more vendors appear to be deliberately obfuscating vulnerability details, declining to publish root cause and attack vector information based on an understandable but misguided belief that obscurity deters adversaries and mitigates reputational risk to software producers.”
It seems that some vendors may be operating in direct opposition to government requests for greater transparency – and there may be more zero-days and n-days known to attackers than we are led to suspect. Condon was hesitant to propose possible reasons for this attitude, but suggested it may be driven by the different motivations between governments and vendors – especially publicly owned vendors with shareholders.
“One is trying to make sure information is disseminated widely so long as it does not further compromise national security,” she ventured. “And the other is trying to protect assets and reputation. And those two motivations don’t necessarily have anything to do with whether you share information or not, but they can be frameworks that don’t incentivize the same level of sharing.”
The biggest single takeaway from the Rapid7 report is that attackers are getting more sophisticated, better armed, and faster. Nothing suggests that this will change. Faced with this increasing threat, proactive remedial action becomes essential. For years we have been exhorted to assume a breach and be ready with a response. We have concentrated our defenses inside the network to the detriment of the edge.
Attackers understand this and have for the last few years increased attacks against less well-defended edge devices from where they can pivot into the network proper. “Mass compromise events stemming from exploitation of network edge devices have almost doubled since the start of 2023, with 36% of all widely exploited 2023 vulnerabilities occurring in network perimeter technologies,” says the report. Detection and response is no longer enough – the importance of prevention, especially at the edge, has returned.
But if there is one primary defensive takeaway from the Rapid7 report, it is this: “More than 40% of incidents Rapid7 investigated in 2023 were the result of missing or inconsistent enforcement of MFA, particularly on VPN, VDI, and SaaS products.”
“We don’t necessarily know the details,” said Condon. “Did these organizations truly not have any MFA? Were they just not configuring it properly? Or were they not enforcing it? But, yes, it certainly slows down many attacks and can stop some.”
It is worth considering MFA (and layered security in general) as analogous to the long-standing physical policing concept of Crime Prevention Through Environmental Design (CPTED): you make the target building as uninviting as possible. The casual burglar will move onto something less difficult.
In this analogy, MFA reinforces the front door – maybe akin to a second (biometric?) entry device, and an alarm that tells you someone unexpected and unauthorized is trying to gain entry. MFA won’t stop the determined nation state attacker that has a bulldozer, but that is no excuse for not deterring the more populous and less sophisticated criminal.
