2021 Has Broken the Record For Zero-Day Hacking Attacks (technologyreview.com) 17
According to multiple databases, researchers, and cybersecurity companies who spoke to MIT Technology Review, 2021 has had the highest number of zero-day exploits on record. "At least 66 zero-days have been found in use this year, according to databases such as the 0-day tracking project -- almost double the total for 2020, and more than in any other year on record," the report says. From the report: One contributing factor in the higher rate of reported zero-days is the rapid global proliferation of hacking tools. Powerful groups are all pouring heaps of cash into zero-days to use for themselves -- and they're reaping the rewards. At the top of the food chain are the government-sponsored hackers. China alone is suspected to be responsible for nine zero-days this year, says Jared Semrau, a director of vulnerability and exploitation at the American cybersecurity firm FireEye Mandiant. The US and its allies clearly possess some of the most sophisticated hacking capabilities, and there is rising talk of using those tools more aggressively.
Attackers are exploiting the same types of software vulnerabilities over and over again, because companies often miss the forest for the trees. And cybercriminals, too, have used zero-day attacks to make money in recent years, finding flaws in software that allow them to run valuable ransomware schemes. "Financially motivated actors are more sophisticated than ever," Semrau says. "One-third of the zero-days we've tracked recently can be traced directly back to financially motivated actors. So they're playing a significant role in this increase which I don't think many people are giving credit for."
While there may be an increasing number of people developing or buying zero-days, the record number reported isn't necessarily a bad thing. In fact, some experts say it might be mostly good news. No one we spoke to believes that the total number of zero-day attacks more than doubled in such a short period of time -- just the number that have been caught. That suggests defenders are becoming better at catching hackers in the act. You can look at the data, such as Google's zero-day spreadsheet, which tracks nearly a decade of significant hacks that were caught in the wild. One change the trend may reflect is that there's more money available for defense, not least from larger bug bounties and rewards put forward by tech companies for the discovery of new zero-day vulnerabilities. But there are also better tools. Defenders have clearly gone from being able to catch only relatively simple attacks to detecting more complex hacks, says Mark Dowd, founder of Azimuth Security. "I think this denotes an escalation in the ability to detect more sophisticated attacks," he says. Further reading: Emergency Software Patches Are on the Rise
Attackers are exploiting the same types of software vulnerabilities over and over again, because companies often miss the forest for the trees. And cybercriminals, too, have used zero-day attacks to make money in recent years, finding flaws in software that allow them to run valuable ransomware schemes. "Financially motivated actors are more sophisticated than ever," Semrau says. "One-third of the zero-days we've tracked recently can be traced directly back to financially motivated actors. So they're playing a significant role in this increase which I don't think many people are giving credit for."
While there may be an increasing number of people developing or buying zero-days, the record number reported isn't necessarily a bad thing. In fact, some experts say it might be mostly good news. No one we spoke to believes that the total number of zero-day attacks more than doubled in such a short period of time -- just the number that have been caught. That suggests defenders are becoming better at catching hackers in the act. You can look at the data, such as Google's zero-day spreadsheet, which tracks nearly a decade of significant hacks that were caught in the wild. One change the trend may reflect is that there's more money available for defense, not least from larger bug bounties and rewards put forward by tech companies for the discovery of new zero-day vulnerabilities. But there are also better tools. Defenders have clearly gone from being able to catch only relatively simple attacks to detecting more complex hacks, says Mark Dowd, founder of Azimuth Security. "I think this denotes an escalation in the ability to detect more sophisticated attacks," he says. Further reading: Emergency Software Patches Are on the Rise
How can that happen? (Score:2)
Strange I would have thought so many people sitting home would be too busy for something like this.
How about we just call them bugs? (Score:2)
Re: (Score:2)
Because honestly, "zero day" caries virtually no meaning, as it is made to readily apply to anything that hasn't been fixed yet.
0-day means the day of or any time before a software release. Its earliest usage is in the warez scene, where a 0-day release was typically a game that was released (with a crack, or without one if it wasn't needed) by distro groups either the day of or any time before the game was officially released. A 0-day exploit refers to an exploit that was created the same day or before a patch has been released to fix the corresponding vulnerability.
Re: (Score:3)
this is now an obsolete definition, as these cases are pretty rare. today it's much simpler: any vulnerability for which there is no patch or clear and known workaround is a zero-day. this may well be (and almost always is) known long after release simply because the vulnerability has been always there but not been found, used, reported, disclosed or reacted upon, so users/devices/services are fully exposed.
the high value of a zero-day lies in that precisely because there is no patch available, any attack i
Re: (Score:2)
this is now an obsolete definition, as these cases are pretty rare.
It's not rare at all, it happens all the time. Furthermore, the warez scene still actively uses that term, and they haven't gone anywhere.
any vulnerability for which there is no patch or clear and known workaround is a zero-day. this may well be (and almost always is) known long after release simply because the vulnerability has been always there but not been found, used, reported, disclosed or reacted upon, so users/devices/services are fully exposed.
This is very much a PHB way to define it, as you've probably lifted it from wikipedia or some whitepaper as if to try to academically define what is really street slang. So congrats on becoming a PHB. Though even if we stick to your PHB terms, it ultimately doesn't contradict what I said. Notice when I was referring to the context of cybersecurity, I was specifically talk
Re: (Score:2)
Which is stupid, IMO. Any newly discovered bug effeectively becomes a zero-day at that point, and the "zero-day" does not denote anything special that warrants attention from any other newly
Re: (Score:2)
if you consider it synonymous to "unpatchable" it is not a tautology at all, but describes a very particular and distinct state with very specific implications. you might dislike word or the etymology but that's language, an ever changing construct created out of social interaction and trends, including antics and buzzwords. it may be messy and sound silly at times but still allows us to communicate.
Re: (Score:2)
Re: (Score:2)
nope. discovered by whom? if the first discoverer has malicious intent then that's a zero-day. it may be being exploited before becoming public. however if the manufacturer discovers first it and releases a patch, it never ever becomes a zero-day.
really easy to grasp, unless you are looking for a semantic kink session. if so, have a cookie ...
Re: (Score:2)
While of course it is ideal to release software without bugs, it is absurd to expect that most bugs which might happen to exist in already released software would ordinarily be discovered by the development team before somebody else finds them. It's nice when it happens, but it's far from something that can be said to be a reasonable expectation.
The point remains - the standing definition of "zero day" is meaningless. Effectively tautological at best, misleading and clickbait at worst.
The only thing
Financial incentives work both ways (Score:1)
Attackers are exploiting the same types of software vulnerabilities over and over again, because companies often miss the forest for the trees. [...] "Financially motivated actors are more sophisticated than ever," Semrau says. "One-third of the zero-days we've tracked recently can be traced directly back to financially motivated actors. So they're playing a significant role in this increase which I don't think many people are giving credit for."
And until companies are actually financially motivated to avoid poor software development practices, the vulnerabilities will continue.
lol, I love this framing (Score:3)
"China alone is suspected to be responsible for nine zero-days this year, says Jared Semrau... The US and its allies clearly possess some of the most sophisticated hacking capabilities, and there is rising talk of using those tools more aggressively."
So in other words.. "American using zero days GOOD! China use, BAD!" Oh really, is it good that our intelligence agencies sit on zero days rather than telling Microsoft et al? It's more important to them to keep their "sophisticated hacking capabilities" than it is to ensure the wellbeing of any of us!
Also, FireEye is a cyber security contractor, what are they going to say about Russia or China that isn't negative?
Someone might (Score:1)
Good, fast, cheap (Score:2)
Imagine if you had a builder build a structure and he handed it over to you with missing hinges, locks that don't work, missing cabinets, unpainted walls, etc. and he kept coming by every week to add
They said learn to code (Score:2)
Well, they said learn to code. So we did. Amazing how much money you can make quickly if you know how to code.