Microsoft Defence Report – Hackers Highly Target Publicly-Disclosed Zero-Day Vulnerabilities

Microsoft issues a warning about a rise in the use of publicly revealed zero-day exploits by threat actors in their attacks.

The researchers noted a shortening of the period between the disclosure of a vulnerability and its commoditization and noted the significance of the patch management procedure.

“As cyber threat actors—both nation-state and criminal—become more adept at leveraging these vulnerabilities, we have observed a reduction in the time between the announcement of a vulnerability and the commoditization of that vulnerability. This makes it essential that organizations patch exploits immediately”, according to the Digital Defense Report.

Generally, it often takes just 14 days for a vulnerability to be exploited in the wild once it has been made public, but it typically takes 60 days for the exploit code to be published on GitHub.

“While zero-day vulnerability attacks tend to initially target a limited set of organizations, they are quickly adopted into the larger threat actor ecosystem. This kicks off a race for threat actors to exploit the vulnerability as widely as possible before their potential targets install patches”, reads the Digital Defense Report.

The report also says there are increasingly complex critical infrastructure cybersecurity policies in development across regions, sectors, and topic areas.

This activity brings great opportunities and significant challenges. Many nation-state actors have developed capabilities to create exploits from unknown vulnerabilities; China-linked APT groups are particularly proficient in this activity.

“China’s vulnerability reporting regulation went into effect September 2021, marking a first in the world for a government to require the reporting of vulnerabilities into a government authority for review prior to the vulnerability being shared with the product or service owner.” continues the report.

“This new regulation might enable elements in the Chinese government to stockpile reported vulnerabilities toward weaponizing them.”

List of vulnerabilities first developed and deployed by China-linked threat actors in attacks, before being publicly disclosed and spread among other actors in attacks in the wild:

• CVE-2021-35211 SolarWinds Serv-U;
• CVE-2021-40539 Zoho ManageEngine ADSelfService Plus;
• CVE-2021-44077 Zoho ManageEngine ServiceDesk Plus;
• CVE-2021-42321 Microsoft Exchange;
• CVE-2022-26134 Confluence;

Therefore, as soon as they are made public, Microsoft advises enterprises to prioritize patching zero-day vulnerabilities. It also suggests documenting and inventorying all enterprise hardware and software assets to assess their vulnerability to assaults.