Security Intelligence
March 11, 2024 | Security intelligence
By Ryan Slaney
Recently, cybersecurity practitioners have discovered a financially motivated hacking group named Magnet Goblin exploiting what is being referred to as “one-day” vulnerabilities to deploy its custom malware on Windows and Linux systems.
A zero-day vulnerability is unknown to the vendor, and thus there is no patch, mitigation, or fix available to address it. The term “zero-day” refers to the amount of time vendors have to address the flaw before hackers can exploit it.
Discovering zero-day vulnerabilities can be highly lucrative.
White-hat hackers who discover zero-day vulnerabilities are usually rewarded financially by the vendor, thankful that they are now aware of and able to fix a vulnerability before it becomes a problem.
On the other hand, black-hat hackers often sell zero-day vulnerabilities to other hacking groups and nation-state threat actors. Once acquired, zero-day vulnerabilities are highly coveted and usually only deployed by a single threat actor against a limited number of high-value targets to lessen the chance the zero-day vulnerability is discovered.
Our automated attack surface reports detect end-of-life software and operating systems, exposed devices and services, third-party risks & more.
A well-known example of a zero-day vulnerability is CVE-2021-44228, mainly referred to as “Log4J” or “Log4Shell”. The Log4j vulnerability was a security issue that affected Apache Log4j, a popular logging library used in many applications.
The flaw was discovered and used by threat actors to execute remote code by manipulating log messages or log message parameters, allowing threat actors to gain unauthorized access to systems and carry out malicious activities.
According to some sources, the Log4j vulnerability affected 93% of enterprise cloud deployments.
More recently, in 2023, Progress Software announced it had discovered a zero-day vulnerability in its MOVEit Transfer product that could lead to escalated privileges and potential unauthorized access to the IT environment.
Despite the quick turnaround between the discovery of the vulnerability and the release of a patch, threat actors were able to exploit this vulnerability, compromising a significant amount of personally identifiable and financial information, sensitive files, and other data requiring secure transfer.
Discovering zero-day vulnerabilities within an organization’s environment is difficult. In most cases, zero-day vulnerabilities aren’t known to end users until they're exploited by threat actors or disclosed by vendors.
While patching is important to mitigate the threat of known flaws, it won’t mitigate zero-day vulnerabilities. So if you can’t discover or patch them, how do you prevent threat actors from exploiting them?
One method is to proactively hunt for unusual or suspicious activity by reviewing logs, network data, and other sources of information within your environment.
Though they require a skilled practitioner to carry them out, such endeavors can reveal indications that a zero-day vulnerability was exploited, or other indicators of compromise such as suspicious network connections, rogue user accounts, and malicious files.
It’s important to notify the vendor as soon as a potential vulnerability is discovered so the flaw can be addressed before more systems are compromised.
Another method is to focus on detecting the activities commonly carried out after exploiting a zero-day vulnerability, such as credential dumping, escalation of privileges, and establishment of persistence.
This method is effective, regardless of the attack vector, but reactive since it assumes the threat actor has already gained access to the system.
Some EDR agents, including the Covalence endpoint agent, can detect and block these activities when they happen, informing administrators of a potential compromise in near real time.
Subsequent analysis of this activity usually leads to discovering how the threat actors were able to gain access, whether via a zero-day vulnerability or a different attack vector.
One-day vulnerabilities are known vulnerabilities for which a patch or mitigation is available but hasn’t yet been applied. The “one day” term refers to the period between when the vulnerability is disclosed and when affected systems are patched.
Sometimes these vulnerabilities are referred to as “n-day” vulnerabilities since the period is often much longer than one day, as the average mean time to patch (MTTP) is between 60 and 150 days.
Unfortunately, the exploitation of one-day vulnerabilities is often accelerated by the release of Proof-of-Concept (PoC) exploit code before affected users have adequate time to patch their systems. This practice seems to have gotten worse in recent months as cybersecurity vendors and researchers attempt to flex their technical skills, despite the damage it causes.
While more sophisticated threat actors will reverse-engineer a patch to figure out what issue it was meant to fix and then develop their own exploits based on their findings, less technical actors will adopt the publicly available PoC code. This allows the vulnerability to be leveraged by less sophisticated actors who otherwise would not have had this capability without external assistance.
A recent, relevant example of one-day vulnerabilities are CVE-2024-1708, an authentication bypass flaw, and CVE-2024-1709, a path traversal flaw, in ConnectWise’s ScreenConnect servers.
Only a day after the vulnerabilities were announced, several cybersecurity vendors and researchers released PoC exploit code and technical details regarding the vulnerabilities.
This code, combined with the ease of identifying vulnerable ScreenConnect instances via online web scanners, led to mass exploitation and the deployment of ransomware and other malware on unpatched servers.
The most effective way to mitigate the threat posed by the quick exploitation of one-day or n-day vulnerabilities is to shorten MTTP. Covalence users are automatically notified via AROs in the Covalence Portal when vulnerable devices, software, and appliances are detected in their environments.
These AROs identify the potentially vulnerable systems and provide relevant mitigation advice based on the vendor’s instructions and available threat intelligence. Automatic discovery and reporting of potentially vulnerable systems takes much of the guesswork out of patch management and considerably shortens MTTP, as long as users action the mitigative advice contained in the AROs.
For businesses not using Covalence, Field Effect recommends that IT administrators keep a detailed record of their assets and the versions of software/firmware running on them. This record, combined with an active vulnerability threat intelligence subscription or feed, allows IT admins to identify vulnerable assets and apply mitigative strategies.
Often, cloud services are updated automatically by the vendor as soon as or even before a vulnerability is disclosed while its on-premise or self-hosted equivalent requires manual patching. Automatic updates are a major benefit of cloud-hosted over self-hosted services, therefore organizations that struggle with patch management should consider adopting cloud-hosted services when feasible.