Zero-day exploits are on the rise — and the nation’s top cybersecurity watchdog warns that the feds are also the target.

In November, Michael Duffy, associate director for capacity building in cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA), warned attendees at the Imagine Nation ELC conference that the agency had seen “a really high increase in zero-day activity.” “The exploits that we’re seeing around the world are actually impacting federal government networks.”

Duffy said that according to CyberScoop, 2023 saw some of the first incidents of ransomware attacks on federal targets.

Disgusting surprise. The exact number of zero-day exploits discovered in the wild fluctuates from year to year, but tends to increase over time. Maddy Stone, a security researcher with Google’s Threat Analysis Group (TAG), wrote in July 2023 that researchers found 41 such zero days in 2022, down from 69 in 2021, although they were the most on records dating back to 2014.

Similarly, security firm Mandiant tracked 55 exploited zero days in 2022 – which is fewer than the 81 found in 2021, but almost double the number of days found in 2020. Jared Semrau, senior manager of vulnerabilities and exploits at Mandiant Intelligence, said that’s on track to be 2023. Highest year on record in their data.

Semrau attributed the increase in zero days to three main groups of actors: state-sponsored hackers, financially motivated criminal organizations, and third-party offensive capability providers who sell exploits to governments. That said, modern software development practices also result in common vulnerabilities being exposed and patch development focusing on temporary mitigations rather than the underlying causes.

“It’s not that zero days have become more important,” Semrau told IT Brew. “Their availability is increasing.”

Threat actors, whether they be state-sponsored groups or criminal gangs, have increasingly begun to develop their own zero days in-house rather than rely primarily on shared exploit kits – meaning that ” There is a natural need for increased development of zero days.”

Because they are very expensive to develop, zero days are used in targeted attacks. So, while more zero days are being used in general, they “are not necessarily impacting the potential attacker base as broadly,” Semrau said.

Lindsey Serkovnik, CISA’s industrial control systems (ICS) vulnerability disclosure lead, told IT Brew that certain types of vulnerabilities come up again and again.

“Buffer overflows, other memory-related vulnerabilities,” Cerkovnik said. “We see commonly used days as zero days… We also see things like improper input, improper neutralization.”

What is CISA doing about this? CISA’s “focus is on giving federal agencies the tools and capabilities they need to be able to respond quickly when Day Zero arrives,” Doc McConnell, director of the agency’s Federal Enterprise Improvement Team, told IT Brew year-by-year. Year not on trend line. ,

“We make the information that is required by federal agencies available to critical infrastructure operators,” McConnell told IT Brew. The agency also operates the Continuous Diagnostics and Mitigation (CDM) program, he added, which “provides direct, continuous visibility of hardware and software assets actively in use across the federal government.”

Serkovnik said the agency is encouraging developers to adopt secure by design principles, as well as provide more complete common vulnerabilities and exposures (CVE) information and switch to memory-safe programming.

“First [principle] Ensuring CVE completeness…encouraging organizations such as vendors and manufacturers that provide CVE record information to publish root cause, or common weakness counts,” Cerkovnik told IT Brew.

“Changes to the use of memory-safe programming languages ​​could potentially eliminate, or at least significantly reduce, that entire class of vulnerabilities,” Cerkovnik said.

