Explosion of 0-day exploits: The bad news and the good news

Have you noticed that lately we’ve been hearing more about in-the-wild attacks exploiting 0-day vulnerabilities? “Halfway into 2021, there have been 33 0-day exploits used in attacks that have been publicly disclosed this year — 11 more than the total number from 2020,” researchers with Google’s Threat Analysis Group (TAG) have pointed out in a recent blog post.

Does this mean that threat actors are leveraging more 0-day exploits than ever? Or that researchers and threat analysts are getting better at detecting these attacks? Both answers are likely true, and there may be other factors at play.

Recently detected attacks

TAG analysts Maddie Stone and Clement Lecigne have shared information about several attack campaigns exploiting 0-day vulnerabilities that TAG discovered this year, and in some of them they believe the 0-day exploits were sourced from the same (unnamed) commercial surveillance company.

Two campaigns exploiting two Chrome zero-days (CVE-2021-21166 and CVE-2021-30551) have lured Armenian targets to attacker-controlled domains that fingerprinted their devices to see whether they can be targeted with the exploits and, if they could, the exploits would be automatically delivered.

In two other attack campaigns, the threat actors exploited an Internet Explorer 11 0-day (CVE-2021-33742) to target Armenian users with malicious Office documents that loaded web content within Internet Explorer to deliver the exploit (again, after fingerprinting the targets’ devices first).

Finally, a Safari zero-day (CVE-​2021-1879) was exploited in attacks targeting government officials from western European countries. The targets would receive a malicious link and, if they visited the site with Safari from an iOS device, they would be redirected to an attacker-controlled domain that served the exploit, which “would turn off Same-Origin-Policy protections in order to collect authentication cookies from several popular websites, including Google, Microsoft, LinkedIn, Facebook and Yahoo and send them via WebSocket to an attacker-controlled IP.”

The analysts believe that these attacks were likely perpetrated by a Russian government-backed actor.

Why are we witnessing an uptick of attacks exploiting 0-days?

“Those of us working on protecting users from 0-day attacks have long suspected that overall, the industry detects only a small percentage of the 0-days actually being used,” Stone and Lecigne noted.

Threat actors are doing their best to keep 0-day exploits hidden from researchers and security solutions and are generally successful – at least for a short while, and sometimes even longer.

Google’s analysts believe that part of the reason we’re hearing more about attacks using 0-day exploits are improvements in detection and a growing culture of disclosure. Also, that attackers are forced to use 0-day exploits because security measures aimed at closing known vulnerabilities are working and making their job more difficult.

Unfortunately, the demand for 0-day exploits has created a lucrative market for private companies that sell 0-day capabilities for legal surveillance purposes, and those end up in the hands and repertory of government-backed actors.

On the whole, though, an increased detection of 0-day exploits is a good thing for IT companies, they say: the vulnerabilities get fixed, and the companies can learn to get better at preventing and fighting exploitation.

In other exploit-related news, it seems that cybercriminals are starting to prefer Access-as-a-Service to specific 0-day or N-day exploits, as the hard work has already been done for them.

UPDATE (July 16, 2021, 00:20 a.m. PT):

Microsoft and Citizen Lab revealed that the two Chrome zero-days and the IE zero-day have been exploited by the DevilsTongue malware – a creation of Israeli spyware vendor Candiru. Citizen Lab’s extensive report offers more details about the firm, the spyware it uses, and the victims that its customers targeted with it.