A Brisk Private Trade of Zero-Day Exploits Can be a Pain in the Neck of Organizations

In 2019, there was more number of cyberattacks that exploited zero-day vulnerabilities, when compared to the previous three years.
The main reason for the increase in such attacks was due to more zero-day exploits coming up for sale by cyber weapon dealers like NSO Group.

Sophisticated advanced persistent threat (APT) groups are no longer the only ones to leverage zero-day exploits. An analysis by FireEye has revealed that several threat actors have also shifted their focus on using zero-day vulnerabilities to launch attacks against organizations.

It has been found that, in 2019, there was more number of cyberattacks that exploited zero-day vulnerabilities, when compared to the previous three years. The main reason for the increase in such attacks was due to more zero-day exploits coming up for sale by cyber weapon dealers like NSO Group. This, in turn, simplified the job of threat actors planning for an attack, instead of having to put extra effort into developing exploits.

Zero-day exploits over the past three years
The research from FireEye revealed the global map of zero-day hacking has expanded far beyond the United States, Russia, and China. Since late 2017, there was an increase in cyberattacks leveraging zero-days against targets in the Middle East countries.

In 2016, an APT group called Stealth Falcon or FruityArmor was found using more zero-days, including three iOS zero-days - sold by the NSO group - than any other hacking group. The group continued to attack journalists and activists in the Middle East with targeted espionage campaigns over the years.

Also, the SandCat APT, which Kaspersky describes ‘to be affiliated with Uzbekistan state intelligence’, was observed using a Windows kernel zero-day bug (CVE-2019-0859) that allowed them to take full control of victims’ systems.

Notable zero-days that were absent from timeline
FireEye also cited examples of some zero-day exploitations that were not attributed to any particular APT group. These zero-day exploits were leveraged in tools provided by the private offensive NSO Group. This included a zero-day flaw in WhatsApp (CVE-2019-3568) that was reportedly used to distribute spyware, a flaw in Adobe Flash player (CVE-2018-15982) that was used to target a Russian healthcare organization, and an Android vulnerability (CVE-2019-2215) that was exploited in the wild in October 2019.

Threat actor groups that leveraged zero-day exploits
The Chinese espionage group APT3, the North Korea-based APT37 threat actor group, and FIN6 were some of the threat actor groups that increasingly used zero-day exploits to launch attacks. While some of these attacks were used to distribute malware, a few of them were focused to gain financial benefits.

“In multiple cases, groups linked to these countries have been able to weaponize vulnerabilities and incorporate them into their operations, aiming to take advantage of the window between disclosure and patch application,” FireEye explained in a blog post.