Zero-Day Surge Narrows the Average Exploitation Time

Highlights:

• Zero-day exploits initiated more than 50% of the most impactful vulnerabilities and put multiple businesses at risk.
• The average exploitation time of zero-day vulnerabilities came down from 42 days in 2020 to 12 days in 2021.

A new study shows that when compared to 2020, zero-day software vulnerabilities doubled last year even before the vendors could get an opportunity to patch them. Additionally, more than half of the most impactful vulnerabilities were initiated with a zero-day exploit.

Rapid7 analyzed the top 50 high-impact vulnerabilities from 2021 that posed high risks to businesses. They found that 43 of such vulnerabilities were exploited in the wild, including 20 that were exploited even before the availability of a patch. The research concluded that more than fifty percent of the exploited vulnerabilities in the study were used in attacks within a week of their public disclosure. Furthermore, the average exploitation time substantially reduced from 42 days in 2020 to 12 days in 2021.

Unsurprisingly, around 60% of the vulnerability risks were deployed as ransomware attacks. The report also said that wide-swath attacks were less targeted and more opportunistic in 2021.

Caitlin Condon, vulnerability research manager at Rapid7, said in a tweet, “There’s consensus that zero-day attacks hit an all-time high in 2021. We intentionally weren’t indexing on zero-day exploits in our data, and still, we saw a big uptick in zero-day attacks. Worse, more than half of *widespread* threats began with a zero-day exploit. That’s insane.”

She also said that higher visibility and data sharing are the key reasons why these industries are witnessing such attacks.

According to Rapid7’s report, which covers the vulnerabilities and attacks chain trends, including well-documented Microsoft Exchange and Windows Print Spooler vulnerabilities exposed and attacked the previous year, the surge in zero-day attacks was the key reason for the narrowed window exploitation time. As a result, enterprises witnessed additional pressure to respond to the latest threats and patching responses.

Condon said during an interview, “First and foremost, security and IT teams have been operating in a highly elevated threat climate. We can validate that with data — these folks have been working triple-time combating threats over the past year and a half, and their jobs have included complex risk communications as well as actual operations work. Many of them have been working with limited resources in part because of the lingering effects of the pandemic. Second, in a world where mass exploitation is starting within days or hours of disclosure, it’s critically important for organizations to be good at the basics of vulnerability risk management so they can define and iterate on emergency procedures.”

Experts’ view

“Attacker economies of scale have played a big part here — it’s increasingly common for critical vulnerabilities in popular technology to be weaponized quickly by ransomware and coin-mining groups whose operations rely on widespread exploitation to profit. We’ve also seen instances where two or three or more APT groups are exploiting critical vulnerabilities alongside more opportunistic attackers,” vulnerability research manager at Rapid7, Caitlin Condon, said.

“One of the most paradoxical parts of an elevated risk climate is that guidance remains steady. Think of this as weathering a tough economy: Diversify, don’t panic, and take a long view,” Condon said. She added that layer defense is also a critical response.