One of the critical strategic and tactical roles that cyber threat intelligence (CTI) plays is in the tracking, analysis, and prioritization of software vulnerabilities that could potentially put an organization’s data, employees and customers at risk. In this four-part blog series, FireEye Mandiant Threat Intelligence highlights the value of CTI in enabling vulnerability management, and unveils new research into the latest threats, trends and recommendations.
FireEye Mandiant Threat Intelligence documented more zero-days exploited in 2019 than any of the previous three years. While not every instance of zero-day exploitation can be attributed to a tracked group, we noted that a wider range of tracked actors appear to have gained access to these capabilities. Furthermore, we noted a significant increase over time in the number of zero-days leveraged by groups suspected to be customers of companies that supply offensive cyber capabilities, as well as an increase in zero-days used against targets in the Middle East, and/or by groups with suspected ties to this region. Going forward, we are likely to see a greater variety of actors using zero-days, especially as private vendors continue feeding the demand for offensive cyber weapons.
Since late 2017, FireEye Mandiant Threat Intelligence noted a significant increase in the number of zero-days leveraged by groups that are known or suspected to be customers of private companies that supply offensive cyber tools and services. Additionally, we observed an increase in zero-days leveraged against targets in the Middle East, and/or by groups with suspected ties to this region.
Examples include:
We also noted examples of zero-day exploitation that have not been attributed to tracked groups but that appear to have been leveraged in tools provided by private offensive security companies, for instance:
Zero-Day Exploitation by Major Cyber Powers
We have continued to see exploitation of zero days by espionage groups of major cyber powers.
In addition, we believe that some of the most dangerous state sponsored intrusion sets are increasingly demonstrating the ability to quickly exploit vulnerabilities that have been made public. In multiple cases, groups linked to these countries have been able to weaponize vulnerabilities and incorporate them into their operations, aiming to take advantage of the window between disclosure and patch application.
Zero-Day Use by Financially Motivated Actors
Financially motivated groups have and continue to leverage zero-days in their operations, though with less frequency than espionage groups.
In May 2019, we reported that FIN6 used a Windows server 2019 use-after-free zero-day (CVE-2019-0859) in a targeted intrusion in February 2019. Some evidence suggests that the group may have used the exploit since August 2018. While open sources have suggested that the group potentially acquired the zero-day from criminal underground actor “BuggiCorp,” we have not identified direct evidence linking this actor to this exploit’s development or sale.
We surmise that access to zero-day capabilities is becoming increasingly commodified based on the proportion of zero-days exploited in the wild by suspected customers of private companies. Possible reasons for this include:
It is likely that state groups will continue to support internal exploit discovery and development; however, the availability of zero-days through private companies may offer a more attractive option than relying on domestic solutions or underground markets. As a result, we expect that the number of adversaries demonstrating access to these kinds of vulnerabilities will almost certainly increase and will do so at a faster rate than the growth of their overall offensive cyber capabilities—provided they have the ability and will to spend the necessary funds.
Register today to hear FireEye Mandiant Threat Intelligence experts discuss the latest in vulnerability threats, trends and recommendations in our upcoming April 30 webinar.
Sourcing Note: Some vulnerabilities and zero-days were identified based on FireEye research, Mandiant breach investigation findings, and other technical collections. This paper also references vulnerabilities and zero-days discussed in open sources including Google Project Zero’s zero-day “In the Wild” Spreadsheet. While we believe these sources are reliable as used in this paper, we do not vouch for the complete findings of those sources. Due to the ongoing discovery of past incidents, we expect that this research will remain dynamic.
citizenlab.ca/2016/05/stealth-falcon/
docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/view#gid=1123292625
thehackernews.com/2019/10/android-kernel-vulnerability.html
www.brighttalk.com/webcast/7451/392772
www.cyberscoop.com/middle-eastern-hacking-group-using-finfisher-malware-conduct-international-espionage/
www.fireeye.com/advantage/threat-intelligence
www.fireeye.com/resources/eps-processing-zero-days
www.fireeye.com/resources/windows-zero-day-payment-cards
www.ibtimes.com/hacker-selling-windows-zero-days-worlds-most-dangerous-hacker-groups-2789374
www.itpro.co.uk/spyware/33632/whatsapp-call-hack-installs-spyware-on-users-phones
www.securityweek.com/middle-east-group-uses-flash-zero-day-deliver-spyware
www.securityweek.com/windows-zero-day-exploited-fruityarmor-sandcat-threat-groups
www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit
www.vice.com/en_us/article/3kx5y3/uzbekistan-hacking-operations-uncovered-due-to-spectacularly-bad-opsec
www.welivesecurity.com/2019/09/09/backdoor-stealth-falcon-group/