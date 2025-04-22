from the zero-hour-nine-AM dept.
Hackers are exploiting 0-days more than ever:
Previously unknown "zero-day" software vulnerabilities are mysterious and intriguing as a concept. But they're even more noteworthy when hackers are spotted actively exploiting the novel software flaws in the wild before anyone else knows about them. As researchers have expanded their focus to detect and study more of this exploitation, they're seeing it more often. Two reports this week from the threat intelligence firm Mandiant and Google's bug hunting team, Project Zero, aim to give insight into the question of exactly how much zero-day exploitation has grown in recent years.
[...] "We started seeing a spike early in 2021, and a lot of the questions I was getting all through the year were, 'What the heck is going on?!'" says Maddie Stone, a security researcher at Project Zero. "My first reaction was, 'Oh my goodness, there's so much.' But when I took a step back and looked at it in the context of previous years, to see such a big jump, that growth actually more likely is due to increased detection, transparency, and public knowledge about zero-days."
[...] While awareness and detection efforts have increased, James Sadowski, a researcher at Mandiant, emphasizes that he does see evidence of a shift in the landscape.
"There are definitely more zero-days being used than ever before," he says. "The overall count last year for 2021 shot up, and there are probably a couple of factors that contributed, including the industry's ability to detect this. But there's also been a proliferation of these capabilities since 2012," the year that Mandiant's report looks back to. "There's been a significant expansion in volume as well as the variety of groups exploiting zero-days," he says.
If zero-days were once the domain of elite government-backed hacking groups, they have been democratized, Sadowski says. Financially motivated digital-crime groups, some of which employ highly skilled hackers, have now been spotted using zero-days as well, at times for both traditional finance scams and other attacks like ransomware. And the rise of so-called "exploit brokers," an industry that sells information about zero-days and, typically, a corresponding exploit, have enabled anyone with enough money to wield zero-days for their own purposes.
[...] Zero-day vulnerabilities and exploits are typically thought of as uncommon and rarified hacking tools, but governments have been repeatedly shown to stockpile zero-days, and increased detection has revealed just how often attackers deploy them. Over the past three years, tech giants like Microsoft, Google, and Apple have started to normalize the practice of noting when they're disclosing and fixing a vulnerability that was exploited before the patch release.
(Score: 2) by Spamalope on Monday April 25, @02:39PM (2 children)
As long as bad quality is a 'you' problem, and risky designs for glitz or feature creep are accepted this will escalate. For example, without viable alternatives what incentive is there for Google to invest in security, beyond what they need to protect their spyware exclusivity?
(Score: 2) by looorg on Monday April 25, @02:47PM
The question sort of remains why. Is it just cause there is more software, more bad software to. Or is it just cause more people are looking then looked before and way back most software didn't have to bother with networking etc. Some combination of them. While I would like to think that more programmers previously were better then todays batch I just don't know. It seems to be the case but I just don't know for certain. There obviously seems to be a lot more bad once.
(Score: 2) by canopic jug on Monday April 25, @02:52PM
In this case, Google is carrying water for M$. Follow the links and you will see that the Project Zero [blogspot.com] efforts spend a lot of time on Windows and Windows-based M$ products. To make matters worse, Google never recommends migration off of the dead end malware which is posing as an operating system. Dropping Windows from the desktop won't in and of itself make businesses, agencies, and schools secure, but it is a necessary prerequisite. Again, this is a staffing problem not a technical problem. Using a FreeBSD distro or a GNU/Linux distro is perfectly within reach of most businesses, if they fire the microsofters, the ones who sit on the payroll and use company money to sell M$ products from inside the perimeter, and hire one or more IT people in their place. This is especially important on the desktop.
