Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Zero-Day Vulnerabilities Rose in 2014: Symantec

Two hundred and ninety-five – that is the combined total of days attackers were actively exploiting the five most targeted zero-days last year before they were patched, according to a new report from Symantec.

Two hundred and ninety-five – that is the combined total of days attackers were actively exploiting the five most targeted zero-days last year before they were patched, according to a new report from Symantec.

In its latest Internet Security Threat Report, Symantec painted a picture of a banner year for zero-day exploits. According to the firm, not only did zero-days increase, the exploitability window did as well, as it took an average of just four days apiece for the top five zero-days exploited in 2013 to be patched.

“Within four hours of the Heartbleed vulnerability becoming public, Symantec saw a surge of attackers stepping up to exploit it,” according to the report. “Reaction time has not increased at an equivalent pace. Advanced attackers continue to favor zero-day vulnerabilities to silently sneak onto victims’ computers, and 2014 had an all-time high of 24 discovered zero-day vulnerabilities. As we observed with Heartbleed, attackers moved in to exploit these vulnerabilities much faster than vendors could create and roll out patches.”

While attackers leveraged zero-days, they also continued to hit networks with targeted spear-phishing attacks. According to Symantec, those attacks increased by eight percent in 2014. Attackers appear to have gotten more precise as well – 20 percent fewer emails were used to successfully reach their targets. They also incorporated more drive-by malware downloads and other web-based exploits.

“In 2014, we saw attackers trick companies into infecting themselves by Trojanizing software updates to common programs and patiently waiting for their targets to download them,” bloogged Kevin Haley, director of product management for Symantec Security Response. “Once a victim had downloaded the software update, attackers were given unfettered access to the corporate network. Highly-targeted spear-phishing attacks remained a favorite tactic for infiltrating networks, as the total number of attacks rose eight percent. What makes last year particularly interesting is the precision of these attacks. Spear-phishing attacks used 20 percent fewer emails to successfully reach their targets and incorporated more drive-by malware downloads and other web-based exploits.”

The year also saw an increase in ransomware attacks, which grew 113 percent last year. In particular, there were 45 times as many victims of crypto-ransomware attacks than in 2013, according to the report. In a recent survey from ThreatTrack Security, 30 percent of the 250 organizations polled said they would negotiate with a cyber-criminal to get their data back.

“Instead of pretending to be law enforcement seeking a fine for stolen content, as we’ve seen with traditional ransomware, crypto-ransomware holds a victim’s files, photos and other digital media hostage without masking the attacker’s intention,” Haley blogged. “The victim will be offered a key to decrypt their files, but only after paying a ransom that can range from $300-$500 with no guarantee their files will be freed. While these attacks have traditionally only plagued PCs, we’re seeing more ransomware crop up on other devices. Notably, we observed the first piece of crypto-ransomware on Android devices in 2014.”

 

Advertisement. Scroll to continue reading.
Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.