Google Project Zero researcher Maddie Stone presents a speech at the FIRST conference which titled "0-day In-the-Wild Exploitation in 2022…so far".
It revealed that nine out of 18 zero-day flaws detected and disclosed as exploited in-the-wild in 2022 are variants of previously patched vulnerabilities.
- Found 18 detected zero-days as exploited in-the-wild.
- At least 9 of them are variants of previously patched vulnerabilities.
This means that many of the attacks were not so sophisticated, instead threat actors that exploited the issue were able to come back and trigger the known vulnerability through a different path.
For example:
- CVE-2022-30190 (Follina Windows vulnerability) ~ CVE-2021-40444 MSHTML zero-day
- CVE-2022-21882 (Windows win32k) ~ CVE-2021-1732
- CVE-2022-22587 (iOS) ~ CVE-2021-30983
- CVE-2022-1096 (Chromium) ~ CVE-2016-5128, CVE-2021-30551, CVE-2022-1232
- CVE-2022-1364 (Chromium v8) ~ CVE-2021-21195
- CVE-2022-26134 (Atlassian Confluence) ~ CVE-2021-26084
- CVE-2022-26925 (PetitPotam) ~ CVE-2021-36942 (patch regressed)
“When 0-day exploits are detected in-the-wild, it’s the failure case for an attacker. It’s a gift for us security defenders to learn as much as we can and take actions to ensure that that vector can’t be used again. The goal is to force attackers to start from scratch each time we detect one of their exploits: they’re forced to discover a whole new vulnerability, they have to invest the time in learning and analyzing a new attack surface, they must develop a brand new exploitation method.”
To properly address zero-day vulnerabilities Google researchers recommend platform security teams and other independent security researchers to invest in root cause analysis, variant analysis, patch analysis, and exploit technique analysis.
Learn from 0-days exploited in the wild to make -day hard.
Make 0-day hard by:
- Increase the cost (mean time, expertise) per exploit.
- Increase the number of exploits required.
Links: