When you buy through affiliate links in our content, we may earn a commission at no extra cost to you. Learn 
Zero-Day vulnerabilities have become a preferred vector of attack for cybercriminals.
Pushed by the rapid acceleration and abundance of new software, updates, and apps being released, the software development sector is leaving wide security gaps and weak points across architectures.
Google’s “A Year in Review of Zero-Days Exploited In-the-Wild”, released at the end of last month, found a 50% yearly increase in zero-days attacks or exploits.
Techopedia talked with cybersecurity experts to discuss the report and get their insight on how software companies can respond.
Key Takeaways
- Google’s latest Zero-Day report shows a significant increase in zero-day exploits, highlighting the urgency of the issue.
- Nation-state actors and commercial surveillance vendors are a major threat. These groups are exploiting vulnerabilities for espionage, making it difficult to defend against such attacks.
- Security features like Apple’s Lockdown mode demonstrate the potential to minimize the attack surface.
- Robust security teams, response plans, and ethical hacking programs are crucial for defence.
- Regulations on commercial surveillance vendors and stricter controls are needed.
- Show Full Guide
Zero-Day Exploits In-The-Wild: Nation-State Cyberattacks
According to the Google report, nation-state-supported cyberattacks impact the tech industry — and ourselves as consumers as a consequence.
According to researchers Maddie Stone and J James Sadowski, the People’s Republic of China (PRC) is the leading country in government-backed cyber-espionage zero-day exploitation.
Attributing Attacks to Threat Actors and Response Strategies
Jeff Williams, co-founder and CTO at Contrast Security, a company that supports security and development teams with a unified approach to software development, spoke to Techopedia about the complexities of attributing and responding to nation-state cyberattacks.
“Attribution is almost impossible, very expensive, and very time-consuming, as it is far too easy for the attacker to hide their tracks or engage in false flag operations.”
“Without attribution, response against the attackers isn’t feasible,” Williams added. “So, the conclusion has to be that targeting the attackers with retribution and legal or military consequences isn’t likely to succeed.
“We need to focus a lot more on preventing the vulnerabilities that enable these attacks in the first place.”
Ruben Muradyan, Chief Information Security Officer at the global cybersecurity firm Hexens, agreed that challenges exist when attributing attacks but also gave clear guidance to those who venture into that realm.
“It is not possible to attribute such attacks without having access to the widest possible data and digital intelligence.
“That’s why you may read reports with attribution from global players like MS, Google TAG, Google Mandiant, IBM, and state-level CERTs.
“Attribution requires proficiency in very specific areas of cybersecurity and access to huge amounts of historical data.”
The Political Game at Stake
Zero-day exploitation attacks are playing a big role in nation-state-supported ransomware attacks.
Akamai reported that the use of Zero-Day and One-Day vulnerabilities led to a 143% increase in total ransomware victims between 2022 and 2023. Groups like the recently dismantled Lockbit — linked to Russia — dominated this technique in 2023.
Adam Ilowite, CEO of Axero Solutions — an intranet software provider — said that political “games” and threat actors spread across different countries make responding to nation-state attackers very difficult for most organizations.
He said:
“Nation-state cyberattacks are hard to root out and find as they can span across countries or continents and have such a degree of technical sophistication that it becomes resource-expensive to pursue the attackers.
“There is also the political game at play, which can cause problems in areas other than cyber safety, not to mention potential retaliation if nation-states do act.
“In general, these attacks are risky and dangerous with the challenges being to find and then take action where a favorable outcome is apparent/possible.”
Commercial Surveillance Vendors Lead in Exploits
A recent Google Threat Analysis Group (TAG) report found that CSVs account for half of all known zero-day exploits that target Google. TAG said that the rise of commercial surveillance vendors (for instance, companies that provide spyware to governments) causes real-world harm and threatens free speech, the free press, and the open internet.
TAG adds that the most advanced technologies and capabilities that used to be exclusive to governments are now in the hands of CSVs, with individuals or companies located all over the world selling exploits to customers and governments.
“CSVs were behind 75 % of known zero-day exploits targeting Google products as well as Android ecosystem devices in 2023. Of the 37 zero-day vulnerabilities in browsers and mobile devices exploited in 2023, we attributed over 60% to CSVs that sell spyware capabilities to government customers.”
The Tools of Tyranny and Dictatorship
“I’m quite pessimistic about the prospect of combatting CSVs,” Muradyan from Hexens told Techopedia. “As long as state actors are ready to pay CSVs, the latter will find a way to sell their services.”
“The neverending legal battles against numerous reincarnations of NSO Group and Cytrox/Intellexa prove that CSVs operate quite comfortably in today’s world to supply dictators with sophisticated spyware.
“I don’t see what could stop authoritarian regimes from paying for surveillance — the most efficient tool for tyranny.”.
CSVs: Calls for Stronger Regulations
Governments around the world have taken action against CSVs in an effort to end their operations. For example, in mid-2023, the U.S. Department of State announced that four foreign commercial spyware entities were added to the Entity List of Malicious Cyber Activities. The Department of State then explained the dangers of spyware.
“The proliferation of commercial spyware poses distinct and growing counterintelligence and security risks to the United States, including to the safety and security of U.S. government personnel and their families.”
But many experts call for more actions. Roei Sherman, Field CTO at Mitiga spoke to Techopedia about this issue.
“Addressing this issue requires a dual approach: stronger regulations and definitions around the development and sale of spyware by nations, coupled with increased efforts from the cybersecurity community to ensure transparency and the disclosure of detected zero-days in both commercial tools and open-source projects.”
Illowite from Axero Solutions also called for regulatory actions to positively impact the future of CSV threats.
“I think we need stricter regulations and oversight. The government could take this action to help curb this cyber issue. Vulnerability disclosure agreements could also help, bringing potential cyber issues to light and allowing for better protection for everyone.”
Advanced Security Features Make a Difference
Google’s new zero-day exploitation in the wild report also found that software developers can make a difference when they put in the effort.
The report highlighted Google’s MiraclePtr for preventing exploitations in Chrome, as well as Apple’s Lockdown mode for iOS.
Muradyan from Hexen described Apple′s Lockdown mode as a technological measure to minimize the attack surface (in other words, turning off dangerous features) used by malicious third parties.
“Moreover, it’s not possible to find a silver bullet solution against attacks using zero-day vulnerabilities.
“The essence or pure meaning of a zero-day attack is that it’s not known (at the time of exploitation) to a software vendor.”
“It’s therefore impossible to ensure protection from an unknown attack,” Muradyan said. “In other words, Lockdown Mode doesn’t prevent the exploitation of zero-day vulnerabilities but minimizes the probability of their exploitation by reducing dangerous features.
“I would pay additional attention to the continuous development of granular security permissions, like the introduction of the permission to use a user’s location Always/While using an app/Never implemented in the latest versions of iOS/Android, as well as system-level indicators for running privacy-sensitive sensors like cameras, microphones, locations, and the like.
“I also expect the development of user-friendly approaches to applications whitelisting and more efficient SELinux approaches in Android.”
Ilowite from Axero elaborated on other promising security advancements, such as Darktrace and its Active AI security platform.
“The advancements in this area are not only exciting but also promising for cybersecurity,” Illowite said.
“Some other notable emerging tech is Microsoft’s SEAL with advanced encryption techniques and Cloudfare One’s secure access service edge (SASE) technology.”
Key Considerations: Building Zero-Day Response Plans
While the Google zero-day exploitation report only covers 2023, organizations like the Zero Day Initiative — created to incentivize the reporting of zero-day vulnerabilities privately to the affected vendors by financially rewarding researchers? — say early 2024 shows no signs of slowing down.
Zero Day Initiative lists about 150 zero-day advisories just for March 2024 alone.
In April, Zero Day Initiative highlighted the release of nine Adobe patches that address 24 CVEs in Adobe After Effects, Photoshop, Commerce, InDesign, Experience Manager, Media Encoder, Bridge, Illustrator, and Adobe Animate. The initiate describes Microsoft patches for April as “whopping”.
“Microsoft released a whopping 147 new CVEs in Microsoft Windows and Windows Components; Office and Office Components; Azure; .NET Framework and Visual Studio; SQL Server; DNS Server; Windows Defender; Bitlocker; and Windows Secure Boot.”
Techopedia asked experts how software vendors can prepare for how they will respond to zero-day attacks and how they can build robust and efficient zero-day response plans.
Know your Digital Surface and React with Speed
Williams from Contrast Security said that software vendors (including companies offering web applications and web APIs), should work today to establish the infrastructure needed to detect attacks and respond quickly.
“They need an application security blueprint that will facilitate very high-speed diagnosis of attacks.”
These companies would also need — according to Williams — a “way to very quickly harden their software without having to go through a lengthy software release.”
“Runtime security enables organizations to deploy new protections dynamically, without having to change their software.”
Ilowite from Axero spoke about access control, intrusion detection systems (IDS), IT-OT operations, industrial control systems (ICS), and more.
“Access control is a main staple of cybersecurity and should be implemented on your systems. It helps corner breaches and prevents all data being accessed in breaches.”
Ilowite added that intrusion detection systems, IDS, should be added as soon as possible if they are not already up and running. Ilowite highlighted the role that IDS systems have for critical infrastructure, industrial security, and other sectors that operate IT and OT environments
“IDS are especially necessary if you have ICSs as your IDS will monitor both IT and OT for suspicious activity.”
Sherman from Mitiga added that companies need to be prepared to respond.
“Software companies need to make sure they implement robust and advanced internal security teams,” Sherman said.
“Those should include strong application security teams to try and identify any weakness during the development lifecycle, a team to receive and investigate any reporting about weaknesses in their software and integrate this with a bug bounty program.”
The Bottom Line
Zero-day vulnerabilities are on the rise, particularly those exploited by nation-state actors and commercial surveillance vendors. These attacks are difficult to attribute and even harder to defend against.
While some promising advancements in security features offer a glimmer of hope, software vendors are constantly playing catch-up. So, what can be done?
Software companies need robust security teams, efficient response plans, and a commitment to transparency. Building a strong application security infrastructure and fostering ethical hacking communities are crucial steps.
Ultimately, the fight against zero-day attacks requires a multi-pronged approach. It’s a race against time, and collaboration between security researchers, software vendors, and policymakers is essential to protect the digital landscape.
