The Proliferation of Zero-days

The MIT Technology Review is reporting that 2021 is a blockbuster year for zero-day exploits:

One contributing factor in the higher rate of reported zero-days is the rapid global proliferation of hacking tools.

Powerful groups are all pouring heaps of cash into zero-days to use for themselves — and they’re reaping the rewards.

At the top of the food chain are the government-sponsored hackers. China alone is suspected to be responsible for nine zero-days this year, says Jared Semrau, a director of vulnerability and exploitation at the American cybersecurity firm FireEye Mandiant. The US and its allies clearly possess some of the most sophisticated hacking capabilities, and there is rising talk of using those tools more aggressively.

[…]

Few who want zero-days have the capabilities of Beijing and Washington. Most countries seeking powerful exploits don’t have the talent or infrastructure to develop them domestically, and so they purchase them instead.

[…]

It’s easier than ever to buy zero-days from the growing exploit industry. What was once prohibitively expensive and high-end is now more widely accessible.

[…]

And cybercriminals, too, have used zero-day attacks to make money in recent years, finding flaws in software that allow them to run valuable ransomware schemes.

“Financially motivated actors are more sophisticated than ever,” Semrau says. “One-third of the zero-days we’ve tracked recently can be traced directly back to financially motivated actors. So they’re playing a significant role in this increase which I don’t think many people are giving credit for.”

[…]

No one we spoke to believes that the total number of zero-day attacks more than doubled in such a short period of time — just the number that have been caught. That suggests defenders are becoming better at catching hackers in the act.

You can look at the data, such as Google’s zero-day spreadsheet, which tracks nearly a decade of significant hacks that were caught in the wild.

One change the trend may reflect is that there’s more money available for defense, not least from larger bug bounties and rewards put forward by tech companies for the discovery of new zero-day vulnerabilities. But there are also better tools.

Posted on September 24, 2021 at 9:51 AM14 Comments

Comments

dimir September 24, 2021 10:06 AM

There is a typo in the introductory line with the link to the report: The HTML reads hre="[...]" instead of href="[...]"

Clive Robinson September 24, 2021 10:06 AM

@ All,

The article assumes,

“At the top of the food chain are the government-sponsored hackers.”

Does not answer an important question, which is,

“Why are there so many zero day vulnerabilities?”

The answer is not that there is more incentive to find them, but that they are there to be found.

Look on it as being a “gold rush” you only get one when somebody finds the gold that has been there since the earth was formed.

Thus the question should be,

“Why are consumer grade software developers puting so many vulnarabilities in the code they cut?”

JonKnowsNothing September 24, 2021 11:33 AM

@Clive, All

re: “Why are consumer grade software developers putting so many vulnerabilities in the code they cut?”

All the QA Testing in the world doesn’t help, if the code is not fixed.

  • Didn’t they test it? Sure QA did. The Devs didn’t fix it.

A quick pass through any software company’s bug database will show the extent of the problem.

Trival: The typo or language error that never gets fixed because “it’s trivial”

Corner/Edge Cases: Never get fixed because they are too hard to fix and require too many man-months PLUS a redesign since the design is the reason there is an Edge or Corner Case to begin with.

If someone does get a peek-a-boo at the bug database, it would be smart but not necessarily prudent to ask “WHICH database is this one?”. There may be only 1 but there’s a different 1, depending on who and where you are located in the organization tree.

Then there is a bigger problem of …

Developer Prestige: Who gets to work on the new stuff and who gets stuck fixing the bugs the folks working on the new stuff create. Anyone stuck in maintenance may be deemed to be a dullsville-dudette who might just point out the Corner and Edge Cases during design sessions and THAT would put the cat-in-the-pigeons for marketing and delivery dates.

Fix It Again Tony…

jones September 24, 2021 11:58 AM

We need laws to provide software liability regardless of what is contained in the EULA. There won’t be any incentive to sell quality software until vendors routinely face something as potentially damaging as defective automobile or contaminated vegetable recalls.

lurker September 24, 2021 1:17 PM

@Bruce

China alone is suspected to be responsible for nine zero-days this year…

Nitpick, China [or any nation level adversary] isn’t responsible for them, they were just laying there in the code all the time and China happened to stumble upon them.

@Clive

Why are consumer grade software developers puting so many vulnarabilities in the code they cut?

Because fixing it,

@JonKnowsNothing

would put the cat-in-the-pigeons for marketing and delivery dates.

Follow the money. Which as the article says, is exactly what cyber-crims are now doing. And a fix is suggested by @jones. So if the wisdom of this blog can identify the problem, and its cause, and propose a fix, why does it still go on? (Mutterings about governments that people deserve…l

any moose September 24, 2021 3:22 PM

Why are there so many zero-days?

1) Windows, the system most affected by zero-days, was never secure. It was a half-baked design by Bill Gates and his cronies. And instead of trying to fix the bugs, much of the software was outsourced to India. Corporations stay with Windows for financial reasons.

2) Anyone who has ever worked in a software engineering organization knows how incompetent most managers are. They demand that a product be released by a certain date, regardless of existing errors. And those errors are often never fixed later. It is a rare manager who understands the importance of system testing.

3) Many software engineers are only interested in building “cool” products and working with “cool” technology. Or they insist on doing technically unnecessary things, for example, creating new classes which wrap tried-and-tested ones, with those new classes never being properly tested.

4) There is no penalty for building non-secure products. If the FTC had teeth, it would ban all IoT products with no security (in other words, all of them). If a health organization, retail corporation, or other entity holding the personal information of consumers is breached, the worst that happens is that the firm must pay for one year’s worth of credit monitooring. Congress is very good at granting get-out-of-jail-free cards to corporate parasites, with the best example being Section 230 of the Communications Decency Act. Target CEO Gregg Steinhafel received a going-away-present of $61 million after the breach.

To quote the Islamist immigration fraudster Ilhan Omar, it’s all about the benjamins, baby.

Eric Bjorgan September 24, 2021 3:30 PM

If the exploits are for sale, couldn’t big companies hire a 3rd party to go get a copy and use that to engineer a fix to bugs? “more money available for defense” might mean buying some intel from bad guys. Yeah, it gives some money to the bad guys, but then they shut it down which is better long-run.

SpaceLifeForm September 24, 2021 3:48 PM

Bug Bounty is a farce

When the vendor fails to fix the bug, there is a reason. You do not have to think too far outside the box to discern the reason.

Maintenance devs are worth their weight in gold, provided they can actually address the problem.

The main reason we see more zero-days these days is because of RE. In the main, Reverse-engineering patches.

When a bug is not properly addressed, the patch will reveal that because it also reveals the original bug.

Which is why I said yesterday, that if you have an iPhone, to update. Apple is backporting patches.

It is all intentional. All by design. My bold.

hxtps://habr.com/en/amp/post/579714/

Gamed 0-day

Any app installed from the App Store may access the following data without any prompt from the user:

Apple ID email and full name associated with it

Apple ID authentication token which allows to access at least one of the endpoints on *.apple.com on behalf of the user

Complete file system read access to the Core Duet database (contains a list of contacts from Mail, SMS, iMessage, 3rd-party messaging apps and metadata about all user’s interaction with these contacts (including timestamps and statistics), also some attachments (like URLs and texts)

vas pup September 25, 2021 5:02 PM

Spying concerns fuel the market for more secure tech
https://www.bbc.com/news/business-58543977

“He compares a smartphone to a beehive where “third parties fly in and out, to trade and misuse your data [that’s] collected through all the sensors onboard”.

“A smartphone as a starting point in any secure communications solution is a lost cause. It will never happen,” he warns.

His profound concern about the privacy shortcomings of smartphones has been supported by a series of recent news stories, most notably revelations about the spy software known as Pegasus, a product of Israel’s NSO Group.

In July, it emerged that Pegasus can be installed on iPhones and Android devices, allowing operators to extract messages, photos and emails, record calls and even secretly activate microphones and cameras.

The ability to remotely access a phone was once considered something only a handful of countries could do. But the technology has advanced very quickly and high-end espionage and surveillance powers are now in the hands of many countries and even individuals and small groups.

With such concerns in mind, consumer interest has grown in products with security as their primary selling point – ranging from purpose-built encrypted smartphones to privacy-oriented alternatives to online search engines and maps.

!!!!!!”We are constantly learning that the corporations and governments that have promised to protect us, in fact, do things behind our backs for their own benefit,” he says.

Finland’s Bittium sells a phone that includes a privacy mode that disables [by hardware? – vp]the device’s microphones, camera, and Bluetooth.

However, Tero Savolainen, Bittium’s vice president, warns that a mobile device is only ever as secure as the person using it.

“Even if you have a secure phone, it doesn’t mean that you are safe if the user is not educated on how to use the device securely.”

Read the whole article for more information.

Clive Robinson September 25, 2021 5:32 PM

@ vas pup, ALL,

Read the whole article for more information.

Appart from “the product placments” and “company blurb” there is nothing in that article that has not been saod repeatedly on this blog, since before th alledged “secrue apps” people use today were available.

The sad thing is the number of self promoting “security gurus” that made real ridiculous and easily disprovable claims about the security of mobile phone apps.

I seriously doubt we will see any of them apologize about their claims, even though the BBC are effectively “calling them out”…

lurker September 25, 2021 6:05 PM

@vas pup

Bittium Tough Mobile […] Factory Unlocked 4G/LTE Smartphone with Google Mobile Services […]

hmm, that’s the version from amazon, it’s available elsewhere without the G, apparently costs more. I wonder if the price diff reflects the value they put on your identity…

vas pup September 26, 2021 5:07 PM

@Clive @Lurker – Thank you!

Hardware kill switch (cut off power of the circuit) for all monitoring functions is the only workable solution. All software apps are BS.

That is not happened until NIST will require this for all electronics, e.g. wireless router should have hardware kill switch to turn off WI-FI when router is not in usage OR only Ethernet ports are utilized.

Regarding read the whole article – that was about company and its products utilizing Faraday cage as protection
https://silent-pocket.com/

I will trust Bittium if bought in Finland being there. 🙂

ResearcherZero September 28, 2021 1:29 AM

Under what conditions could increasingly frequent and sophisticated cyber operations result in inadvertent escalation and the use of military force?

hxxps://www.cato.org/policy-analysis/myth-cyber-offense-case-restraint#

ResearcherZero September 28, 2021 1:45 AM

Nice malware probably doesn’t harm people much, maybe, and it probably won’t start any wars, perhaps?

“Even if some escalation does follow, I believe it’s a risk worth taking.”

By Dmitri Alperovitch

Mr. Alperovitch, a computer scientist, is chairman of the Silverado Policy Accelerator, a think tank focused on cybersecurity, trade security and climate change, and a co-founder and former chief technology officer of CrowdStrike, a cybersecurity company.

hxxps://www.nytimes.com/2021/09/20/opinion/ransomware-biden-russia.html

In some cases, security companies will clean up so-called “friendly” malware but avoid going public with it.

hxxps://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/

“They typically don’t attribute US-based operations,” says Sasha Romanosky, a former Pentagon official who published recent research into private-sector cybersecurity investigations. “They told us they specifically step away. It’s not their job to figure out; they politely move aside. That’s not unexpected.”

hxxps://www.cs.dartmouth.edu/~ccpalmer/teaching/cs55/Resources/Papers/RAND_WR1267.pdf

Plenty of time left on the shot clock!

hxxps://thebulletin.org/doomsday-clock/current-time/

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.