Google: Zero-day exploits increasingly target enterprise technologies – scworld.com

(Adobe Stock)
The number of zero-day vulnerabilities exploited in-the-wild jumped significantly in 2023, as threat actors focused their efforts on enterprise-specific software and appliances, according to new research.
In Google’s fifth annual review (PDF) of zero-days exploited in-the-wild, researchers reported observing 97 zero-days in 2023, a 56% jump on the 65 spotted in 2022, but still below 2021’s record of 106.
Notably, there was a 64% rise in adversary exploitation of enterprise-specific technologies last year, continuing a trend the researchers have observed over the past five years. While only 11.8% of zero-days affected enterprise technologies in 2019, the number had climbed to 37.1% by 2023.
The increase in enterprise targeting was fueled mainly by exploitation of security software and appliances, the researchers said.

Security solutions that suffered zero-days attacks in 2023 included Barracuda Email Security Gateway, Cisco Adaptive Security Appliance, Ivanti Endpoint Manager Mobile and Sentry, and Trend Micro Apex One.
The researchers — from Google’s Threat Analysis Group (TAG) and security firm Mandiant, which Google acquired in 2022 — observed exploitation of nine vulnerabilities affecting security software or devices.
“Security software is a valuable target for attackers because it often runs on the edge of a network with high permissions and access,” they said.
“By successfully exploiting such technologies, attackers can gain an initial foothold into a targeted organization for follow-on activity.”
Another indication of the growing sophistication of threat actors’ focus on enterprises was an increase in zero-days targeting third-party components and libraries.
“Vulnerabilities in third-party components tend to be higher value and more useful than vulnerabilities in the product’s first party code because they can affect more than just one product,” the report said.
“Therefore, an attacker would only need one bug and one exploit to affect two different products instead of developing and maintaining two different ones.”
Of the 97 zero-days the researchers observed in 2023, 48 were attributed to commercial surveillance vendors or nation-state espionage campaigns. In comparison, only 10 were attributed to financially motivated threat actors.
Twelve separate government-backed zero-day vulnerabilities were attributed to China-backed attackers, more than any other state.
“Attackers aren’t dumb. Exploiting zero-day vulnerabilities, especially those in open-source libraries, is an easy (and likely undetectable) way to gain full access to servers deep inside an organization’s infrastructure,” said Contrast Security co-founder and CTO Jeff Williams.
He added that the number of zero-days observed last year appeared low, even if it amounted to a more than 50% rise on the previous year.
“An increase in exploited zero-days from 65 to 97 isn’t that scary when there were over 26,000 reported CVEs last year. The vast majority of attacks is on these known vulnerabilities. Many organizations need to do a much better job of handling these known vulnerabilities faster,” he said.
“Alternatively, it’s very possible that we only detected 97 out of a much bigger number. Remember, zero-days, by their nature, are extremely difficult to detect.”
An analysis found threat actors are increasingly targeting enterprise-specific technologies.
Simon Hendery is a freelance IT consultant specializing in security, compliance, and enterprise workflows. With a background in technology journalism and marketing, he is a passionate storyteller who loves researching and sharing the latest industry developments.

Attackers hijack legitimate commands and run malicious code to launch supply chain attacks.

Organizations have been warned by the Cybersecurity and Infrastructure Security Agency about ongoing attacks exploiting unencrypted F5 BIG-IP Local Traffic Manager module-managed persistence cookies to discover other devices within the targeted network.

Affected by the flaw, which has remained unresolved since being detailed by SSD Disclosure in an advisory late last month, were Linear eMerge E3 versions 0.32-03i, 0.32-04m, 0.32-05p, 0.32-05z, 0.32-07p, 0.32-07e, 0.32-08e, 0.32-08f, 0.32-09c, 1.00.05, and 1.00.07, according to SSD Disclosure.

On-Demand Event

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Copyright © 2024 CyberRisk Alliance, LLC All Rights Reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorization.
Your use of this website constitutes acceptance of CyberRisk Alliance Privacy Policy and Terms of Use.

source

Leave a Comment

WP2Social Auto Publish Powered By : XYZScripts.com