Zero-Day Vulnerabilities Rose in 2014: Symantec

Two hundred and ninety-five – that is the combined total of days attackers were actively exploiting the five most targeted zero-days last year before they were patched, according to a new report from Symantec.

In its latest Internet Security Threat Report, Symantec painted a picture of a banner year for zero-day exploits. According to the firm, not only did zero-days increase, the exploitability window did as well, as it took an average of just four days apiece for the top five zero-days exploited in 2013 to be patched.

“Within four hours of the Heartbleed vulnerability becoming public, Symantec saw a surge of attackers stepping up to exploit it,” according to the report. “Reaction time has not increased at an equivalent pace. Advanced attackers continue to favor zero-day vulnerabilities to silently sneak onto victims’ computers, and 2014 had an all-time high of 24 discovered zero-day vulnerabilities. As we observed with Heartbleed, attackers moved in to exploit these vulnerabilities much faster than vendors could create and roll out patches.”

While attackers leveraged zero-days, they also continued to hit networks with targeted spear-phishing attacks. According to Symantec, those attacks increased by eight percent in 2014. Attackers appear to have gotten more precise as well – 20 percent fewer emails were used to successfully reach their targets. They also incorporated more drive-by malware downloads and other web-based exploits.

“In 2014, we saw attackers trick companies into infecting themselves by Trojanizing software updates to common programs and patiently waiting for their targets to download them,” bloogged Kevin Haley, director of product management for Symantec Security Response. “Once a victim had downloaded the software update, attackers were given unfettered access to the corporate network. Highly-targeted spear-phishing attacks remained a favorite tactic for infiltrating networks, as the total number of attacks rose eight percent. What makes last year particularly interesting is the precision of these attacks. Spear-phishing attacks used 20 percent fewer emails to successfully reach their targets and incorporated more drive-by malware downloads and other web-based exploits.”

The year also saw an increase in ransomware attacks, which grew 113 percent last year. In particular, there were 45 times as many victims of crypto-ransomware attacks than in 2013, according to the report. In a recent survey from ThreatTrack Security, 30 percent of the 250 organizations polled said they would negotiate with a cyber-criminal to get their data back.

“Instead of pretending to be law enforcement seeking a fine for stolen content, as we’ve seen with traditional ransomware, crypto-ransomware holds a victim’s files, photos and other digital media hostage without masking the attacker’s intention,” Haley blogged. “The victim will be offered a key to decrypt their files, but only after paying a ransom that can range from $300-$500 with no guarantee their files will be freed. While these attacks have traditionally only plagued PCs, we’re seeing more ransomware crop up on other devices. Notably, we observed the first piece of crypto-ransomware on Android devices in 2014.”