FireEye warns that access to zero-day capabilities is becoming commodified

Parnian Najafi Borazjani, one of the authors of the FireEye Mandiant Threat Intelligence report.
Parnian Najafi Borazjani, one of the authors of the FireEye Mandiant Threat Intelligence report.
5 years ago

FireEye reports that its Threat Intelligence has documented more zero-days exploited in 2019 than any of the previous three years. While not every instance of zero-day exploitation can be attributed to a tracked group, FireEye noted that a wider range of tracked actors appear to have gained access to these capabilities. 

Furthermore, FireEye noted a significant increase over time in the number of zero-days leveraged by groups suspected to be customers of companies that supply offensive cyber capabilities, as well as an increase in zero-days used against targets in the Middle East, and or by groups with suspected ties to this region. 

FireEye believes that some of the most dangerous state sponsored intrusion sets are increasingly demonstrating the ability to quickly exploit vulnerabilities that have been made public. In multiple cases, groups linked to these countries have been able to weaponise vulnerabilities and incorporate them into their operations, aiming to take advantage of the window between disclosure and patch application. 

Going forward, we are likely to see a greater variety of actors using zero-days, especially as private vendors continue feeding the demand for offensive cyber weapons.

Conclusion

  • FireEye surmises that access to zero-day capabilities is becoming increasingly commodified based on the proportion of zero-days exploited in the wild by suspected customers of private companies. Possible reasons for this include:
  • Private companies are likely creating and supplying a larger proportion of zero-days than they have in the past, resulting in a concentration of zero-day capabilities among highly resourced groups.
  • Private companies may be increasingly providing offensive capabilities to groups with lower overall capability and/or groups with less concern for operational security, which makes it more likely that usage of zero-days will be observed.
  • It is likely that state groups will continue to support internal exploit discovery and development; however, the availability of zero-days through private companies may offer a more attractive option than relying on domestic solutions or underground markets. As a result, we expect that the number of adversaries demonstrating access to these kinds of vulnerabilities will almost certainly increase and will do so at a faster rate than the growth of their overall offensive cyber capabilities, provided they have the ability and will to spend the necessary funds.

Don't Miss

Raj Samani, Fellow and Chief Scientist of the combined company, McAfee Enterprise and FireEye.

2022 may see game of ransomware thrones

Bad actors have taken note of successful tactics from 2021, including those
Kevin Mandia, Chief Executive Officer, FireEye.

Symphony Technology buys out FireEye products for $1.2B unlocking Mandiant

FireEye, announced it has entered into a definitive agreement to sell the