Defenders must adapt to shrinking exploitation timelines
A new report from Mandiant reveals that the average time-to-exploit vulnerabilities before or after a patch is released has plunged to just five days in 2023, down from 32 days in 2021 in 2022.
One reason for this is the fact that, in 2023, exploitation of zero-day vulnerabilities (unknown to vendors, with no patches available) considerably outpaced the exploitation of n-day flaws (publicly disclosed bugs, with patches available). Another is that n-day exploitation continues to occur more quickly after disclosure.
Additional findings
Mandiant’s analysts have analyzed 138 vulnerabilities disclosed in 2023 that have been first exploited either as zero-days (97, or 70%) or as n-days (41, or 30%).
Zero-days are being increasingly favored by attackers, it seems, and this might be due to improved detection of zero-days or a higher success rate in exploiting them.
The analysts established that n-day vulnerabilies are most likely to be exploited within a month after the release of a patch, and that nearly all were exploited within six months.
N-day exploitation timeline (Source: Mandiant)
Their analysis confirmed that there is no consistent correlation between the public release of an exploit and the timeline of its use in the wild.
The attention that a vulnerability receives from the media also cannot be used to predict exploitation timelines. “Of the vulnerabilities disclosed in 2023 that received media coverage, 58% are not known to be exploited in the wild, and for those with at least one public proof of concept (PoC) or exploit, 72% are not known to be exploited in the wild,” they noted.
The complexity of exploitation and the value of the vulnerability to attackers seem to be more important factors for predicting how quickly a vulnerability will be exploited.
The analysts pointed out that, for example, CVE-2023-28121, an improper authentication vulnerability affecting the WooCommerce Payments plugin for WordPress, was exploited quickly after an exploit was available, while CVE-2023-27997, a heap-based buffer overflow in the SSL/VPN component of Fortinet FortiOS, took much longer despite immediate public attention and exploit releases.
One of the reasons is that CVE-2023-28121 was much more simple to exploit, allowing for automated exploitation campaigns by opportunistic adversaries.
“On the other hand, CVE-2023-27997 requires exploiting a heap-based buffer overflow against systems which typically have several standard and non-standard protections, including data execution prevention (DEP) and address space layout randomization (ASLR), as well as navigating the logic of a custom hashing and XORing mechanism. When considering the multiple complexities involved in addition to the fact that targeted systems would likely already have multiple mitigations in place, we can see how much less time-efficient and reliable exploitation of this vulnerability would be,” they explained.
Such an effort is usually undertaken by technically knowledgeable and persistent attackers who see the value of compromising privileged systems within larger organizations’ networks, but it usually takes them some time.
The importance of quick patching
“As the amount of discovered vulnerabilities grows over time, threat actors are provided with more opportunities to take advantage of these weaknesses,” the analysts noted, and pointed out that threat actors are utilizing vulnerabilities months or years after patches have been released (as evidenced by CISA constantly adding older vulnerabilities to its Known Exploited Vulnerabilities catalog).
Cybercriminals are definitely getting faster at exploiting known vulnerabilities in a wider range of products, making properly prioritized and speedy patching more important than ever.
“This increase in available technologies expands attack surfaces, reinforcing the importance of considering how a singular vulnerable technology could affect systems and networks laterally. Segmented architectures and access control implementations should be prioritized in order to limit the extent of impacted systems and data when exploitation does occur,” Mandiant analysts concluded.