Threat actors increasingly exploit zero-day vulnerabilities to evade threat detection

April 25, 2024 - Threat actors are increasingly targeting edge devices, exploiting zero-day vulnerabilities, and engaging in living off the land attacks to evade threat detection tools, Mandiant revealed in a recent report.

In 2023, Mandiant tracked 97 unique zero-day vulnerabilities that were exploited in the wild, signifying a 50% increase from 2022. Exploits were the most popular initial infection vector observed in 2023, accounting for 38% of the intrusions that Mandiant tracked. Phishing, prior compromise, and stolen credentials followed.

The report also revealed that different types of threat groups favored certain tactics over others. For example, People’s Republic of China cyber espionage groups strongly favored the exploitation of zero-days in 2023. Financially motivated actors also preferred zero-days for targeting victims and stealing data.

“Espionage groups tend to prioritize stealth and long-term access, and meticulously craft exploits to minimize detection; financially motivated attackers tend to prioritize speed and efficiency, potentially sacrificing stealth for quicker returns and wider exploitation,” Mandiant noted.

Healthcare was among the top five most targeted sectors in 2023, along with financial services organizations and high tech. All the highly targeted industries maintain access to highly sensitive and valuable information, from credit card numbers to protected health information (PHI), making them enticing targets.

Despite the increasing stealth of cyber threat actors, defenders are meeting the challenge with enhanced strategies of their own. Mandiant found that the global median dwell time fell to 10 days in 2023, compared to 16 in 2022. Dwell time refers to the number of days a hacker remains within a system from compromise to detection. For ransomware specifically, the global median dwell time dropped to five days in 2023, compared to 9 in 2022.

“Attackers regularly adjust their tactics, techniques, and procedures in order to achieve their objectives, which can be challenging for defenders,” said Jurgen Kutscher, vice president, Mandiant Consulting at Google Cloud.

“Despite this, our frontline investigators have learned that organizations have done a better job in 2023 at protecting systems and detecting compromises. Defenders should be proud, but organizations must remain vigilant.”

Tackling zero-day vulnerabilities requires a “blend of policy, threat intelligence, and active monitoring,” Mandiant suggested. A robust incident response plan and the use of environmental monitoring to assess potential vulnerability impacts can help organizations efficiently respond to these cyber threats.