Even the most complex cyberattacks are too easy

By Joseph Marks, Washington Post

Welcome to The Cybersecurity 202! Whatever else 4/20 may signify, it's also the second birthday of this guy here. Happy birthday, Jet!

Below: European lawmakers on a committee investigating spyware get cracking, and a former eBay executive is pleading guilty in a bizarre cyberstalking scheme. 

‘Zero day’ cyber attacks should be harder to pull off

The most complex and time-consuming cyberattacks are still far too easy to pull off, according to a new report from Google’s Project Zero division.

These attacks, called zero days, are typically pulled off by extremely sophisticated hackers such as those employed by government intelligence agencies and top-end private companies like the controversial spyware vendor NSO Group. They’re more likely to give hackers long-lasting access to the technology they exploit and the ability to do far more damage. 

Ideally, such hacks would take so much time, effort and expertise that only the cream of the crop could find and use them. But that’s rarely the case, Google found. The report underscores the way cyberattackers continue to have an advantage over defenders — even at the very top of the hacking food chain. 
“It’s not as hard as it should be,” Maddie Stone, the Google researcher who developed the report, told me. “These should take so much effort to develop and cost so much money that they require years and years to develop, and that’s not what we’re seeing.”

“Zero day”

The annual report looks at cyberattacks conducted using “zero day” vulnerabilities. This is when highly sophisticated hackers are able to discover a vulnerability – and exploit it – before the developers are aware of the vulnerability (so they've had zero days to patch against it).

The report focuses specifically on zero days that researchers believe nefarious hackers have exploited rather than those that were merely discovered by the good guys. Because the zero day hacks are so comparatively easy to develop, hackers aren't as fearful of researchers discovering and protecting against them — so they use them more freely and cause more damage. 

The details

  • Out of 58 exploited zero days that Google identified last year, all but two of them were comparatively easy to develop — they were essentially based on well-known security gaps in products that hackers frequently exploit.
  • “With two exceptions … everything we saw was pretty ‘meh’ or standard,” the report states.
  • The two totally novel zero days were both exploited with tools developed by NSO, which has drawn international condemnation because government clients used its tools to target journalists, dissidents and political opponents.
To be clear: Zero day hacks remain exceedingly rare compared with run-of-the-mill hacks, which use vulnerabilities that people and organizations know about but simply haven’t updated their technology to guard against. 

But they get outsize attention from cyberthreat researchers and media because they’re used against some of the most high-profile targets. 

“My mom and dad don’t need to worry about being attacked with zero days, but when politicians, journalists and human rights activists are targeted, that affects us in a very large way,” Stone told me. “We need to care about them because of the societal impact.” 

Questions

No one's sure quite how bad the zero day problem is.

Researchers simply don't know about the zero day bugs that they haven't discovered yet. And the people who do know about them — nefarious hackers — aren't sharing information. 

Stone estimated that the 58 zero days highlighted in this year’s Project Zero report represents less than 20 percent of the total number of zero days that were exploited in 2021, with the rest going undetected. 

“I’d probably hedge closer to 10 percent,” she said. “There’s a huge number of zero days that no one is detecting.”

There were more exploited zero days detected last year than in any previous year — more than double the previous record of 28 exploited zero days detected in 2015.

But that probably is because more zero days are getting discovered and reported rather than that there are more being exploited, the report states. 

More details from Project Zero via Recorded Future’s Allan Liska:

One big difference in the number of zero day reports came from tech platforms that began specifying whether the previously undisclosed bugs they highlighted had been exploited by hackers or not. Such reports accounted for 12 of the 58 zero days reported — seven from Apple products and five from Google’s Android division. 

And yet: It's likely that many software vendors are aware of zero days that have been exploited on their platforms that they haven't publicly disclosed. One policy change Project Zero is calling for is a pledge from vendors to publicly disclose such bugs. 



Comments

Post a Comment

Popular posts from this blog

FBI, CISA warn US hospitals of targeted BlackCat ransomware attacks

Image
By Sergiu Gatlan,  Bleeping Computer Today, the FBI, CISA, and the Department of Health and Human Services (HHS) warned U.S. healthcare organizations of targeted ALPHV/Blackcat ransomware attacks. "ALPHV Blackcat affiliates have been observed primarily targeting the healthcare sector," the joint advisory cautions. Today's warning follows an April 2022 FBI flash alert and another advisory issued in December 2023 detailing the BlackCat cybercrime gang's activity since it surfaced in November 2021 as a suspected rebrand of the DarkSide and BlackMatter ransomware groups. The FBI linked BlackCat to over 60 breaches during its first four months of activity (between November 2021 and March 2022) and said the gang has raked in at least $300 million in ransoms from over 1,000 victims until September 2023. "Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized," the three federal agencies warned in today...
Read more

Nissan North America data breach impacts over 53,000 employees

Image
By Bill Toulas,  Bleeping Computer Nissan North America (Nissan) suffered a data breach last year when a threat actor targeted the company's external VPN and shut down systems to receive a ransom. The car maker discovered the breach in early November 2023 and discovered recently that the incident exposed personal data belonging to more than 53,000 current and former employees. “As shared during the Nissan Town Hall meeting on December 5, 2023, Nissan learned on November 7, 2023, that it was the victim of a targeted cyberattack. Upon learning of the attack, Nissan promptly notified law enforcement and began taking immediate actions to investigate, contain, and successfully terminate the threat,” the company said in a notification to impacted individuals. Nissan disclosed that the threat actor targeted its external VPN and then shut down certain company systems before asking for a ransom. The company notes that none of its systems were encrypted during the attack. Working with extern...
Read more

Why Your VPN May Not Be As Secure As It Claims

Image
By Krebs On Security Virtual private networking (VPN) companies market their services as a way to prevent anyone from snooping on your Internet usage. But new research suggests this is a dangerous assumption when connecting to a VPN via an untrusted network, because attackers on the same network could force a target’s traffic off of the protection provided by their VPN without triggering any alerts to the user. When a device initially tries to connect to a network, it broadcasts a message to the entire local network stating that it is requesting an Internet address. Normally, the only system on the network that notices this request and replies is the router responsible for managing the network to which the user is trying to connect. The machine on a network responsible for fielding these requests is called a Dynamic Host Configuration Protocol (DHCP) server, which will issue time-based leases for IP addresses. The DHCP server also takes care of setting a specific local address — known ...
Read more