Risky Bulletin — Between Two Nerds: What Drives 0day Mass Exploitation

Host: Tom Muran (A)
Guest: The Grok (B)
Date: October 6, 2025

Episode Overview

This episode takes a deep dive into the controversial and evolving landscape of zero-day (0day) vulnerability exploitation at scale. Prompted by a Google/Mandiant report’s “historical Time to Exploit” (TTE) metric, Tom and The Grok dissect how quickly attackers exploit new bugs, whether mass 0day exploitation is truly increasing, and what really motivates these rare “land grab” attacks. They also critically examine the usefulness of industry metrics and reflect on how changes in detection, patching, and the exploit market have shifted attack patterns over time.

Key Discussion Points & Insights

1. Examining the “Time to Exploit” (TTE) Metric

• Definition: TTE tracks the average number of days between when a vulnerability is patched and when it is first exploited in the wild, with negative values indicating pre-patch exploitation.
  • Tom (00:27): “If a patch is released and it's exploited... a week later, the TTE would be seven. Conversely, if it’s exploited... a week before, the TTE would be minus seven.”
• Reported Trend: TTE has dropped sharply from 63 days (2019) to –1 day (2024), suggesting first malicious exploitation now often occurs before a patch.
  • Tom (01:41): “...now in 2024, the first exploitation, on average, occurs the day before a patch is released...”

2. Critique of the Metric’s Usefulness & Vendor Bias

• Persistence of Old Exploits: Many top exploited bugs (e.g., by ransomware groups) are years old, not fresh zero-days.
  • The Grok (02:11): “The top five bugs... all come from this era of 32 to 5 days. They're still being exploited, but they were patched in 2022.”
• Marketing-Driven Metrics:
  • Tom (02:57): “...metrics produced by cybersecurity vendors... are made up for marketing purposes.”
  • The Grok (03:22): “That is a wild claim...”
• Data Bias: Improved detection over the years may create the illusion of accelerating exploitation, not necessarily reflect real-world risk.
  • The Grok (06:17): “...your collection has improved... you feel like the trend has changed rather than your data set has improved.”

3. What Actually Drives Mass 0day Exploitation?

• Rare but High-Impact Incidents:
  • Notable mass 0day exploitation cases include Microsoft Exchange (2021), SharePoint (recent), and Barracuda (2023); all involve systems directly connected to valuable business data.
    • Tom (07:12): “...recent SharePoint thing... Barracuda email campaign... that’s not actually a huge number.”
• Financial Motivation & Tightly-Linked Gains:
  • Organized ransomware gangs like Clop selectively buy exploits for specific, lucrative enterprise software.
    • The Grok (09:04): “...they were paying for exploits against the specific software that was of value to them...”
  • Fast, one-hop access to “gold” (critical files/emails) is the common factor — if exploitation grants direct access to valuable data, mass exploitation becomes worthwhile.
    • The Grok (10:46): “...mass exploitation of O days that get you gold immediately. Yeah, it's like 0 to 60 is exactly one hop.”
• Race Against Patching:
  • Mass exploitation often ramps up after detection or patch announcements go public.
    • Tom (11:05): “...wasn't mass exploitation either until it was clear that there was a patch coming out.”

4. Historical Shifts in Exploit Patterns

• Cheap 0day Era (pre-2010): Finding and exploiting bugs was fast and easy.
  • The Grok (13:23): “Back when ODE was sort of free... up until 2008, 2010... you could sit down... find a bug, write an exploit, and then spend the weekend exploiting it.”
• Current Era: Exploits are expensive, effort-intensive, and detection tools are better. So attackers save big exploits for high returns or “land grab” situations.
  • Tom (15:26): “Now people are thinking ODA is expensive, but detection is also good... so you just want to get the most return you can...”
• Longevity of Vulnerabilities:
  • Many exploits remain useful for many years, and old bugs are still a goldmine for attackers due to slow patching.
    • The Grok (16:09): “...most of the bugs... are multiple years old... Russia using zero click exploits against email... vulnerabilities... patched in 2022 or 2023.”

5. Patch Dynamics & Target Value

• Fast Patch = Fast Land Grab:
  • Organizations with valuable assets patch quickly once they’re aware. Attackers surge in right before/after patch releases to “get the good stuff.”
    • Tom (17:00): “...all the good stuff goes pretty quickly... if you’re not there when it opens, all the good stuff’s gone...”
  • The Grok (19:01): “...you're better off just getting as much as you can right now.”

6. Why Mass Oday Exploitation Is Still Rare

• Not Just About Having the Exploit: Requires a unique intersection of value proposition, target accessibility, and imminent patch/detection pressure.
  • The Grok (19:47): “They're going to remain rare and exceptional just because you need a lot of stars to align for it to make sense.”
• Motivations Vary:
  • Intelligence agencies act with deliberation and limited windows, while casual hackers just want any access.
    • The Grok (20:56): “For an intelligence agency there's a fairly high bar... For a ransomware group, I'm going to say it's a reasonably high bar... If you're just like some random Joe Schmo... the bar is quite low...”

7. On Security Metrics and Industry Narratives

• Critical of Narrative-Building:
  • TTE and similar metrics may be P-hacked (tweaked until a dramatic “trend” appears), especially in vendor reports.
    • The Grok (22:20): “...it feels a little bit like P hacking with those dubious science papers...”
• Improved Detection Can Appear as Bad News:
  • Tom (23:31): “...this is all driven by better detection and so in fact you're doing a better job actually makes the problem look worse.”
  • The Grok (23:48): “There's one way of showing that the crime statistics have gone down and that's to fire all the police... your policing is good enough... catching a large number... but it looks worse than either of the other extremes.”

Notable Quotes

• On the state of exploitation metrics:

  “Metrics produced by cybersecurity vendors... are made up for marketing purposes.”
  — Tom (02:57)

• On mass exploitation motivation:

  “...mass exploitation of O days that get you gold immediately. Yeah, it's like 0 to 60 is exactly one hop.”
  — The Grok (10:46)

• On rarity of mass campaigns:

  “They're going to remain rare and exceptional just because you need a lot of stars to align for it to make sense.”
  — The Grok (19:47)

• On the effect of improved detection:

  “...you're doing a better job actually makes the problem look worse. And so this is the perfect metric.”
  — Tom (23:31)

• On exploit longevity:

  “I've seen archival exploits... written in 2006, updated in 2007, 2009, 10, 12, 13, 15, patched in 2018... amazing longevity.”
  — The Grok (14:50)

Timestamps for Key Segments

• Introduction to TTE metric — [00:12–01:41]
• Metric skepticism and vendor motives — [02:57–03:32]
• Historical detection bias & metric flaws — [05:47–06:32]
• Discussion of actual mass 0day incidents — [07:09–08:44]
• What makes 0day mass exploitation worth it? — [08:44–11:05]
• Mass exploitation triggers (patch/detection) — [11:05–12:16]
• History: exploitation patterns 2000s vs. now — [13:23–15:26]
• Longevity and re-use of old exploits — [14:50–16:09]
• Target value & patch timing: “designer handbags” analogy — [17:00–17:36]
• Why mass exploitation is rare despite Oday availability — [19:47–20:49]
• On metrics and narrative “P-hacking” — [22:20–23:31]
• Final thoughts on detection improvement’s impact — [23:31–24:19]

In Summary

Tom and The Grok offer a nuanced critique of headline-grabbing security metrics and the narratives they enable. They explain that while detection has improved and some rare “land grab” attacks capture attention, mass 0day exploitation is rare because it only makes sense when attackers can get immediate, high-value returns and when the timing aligns. Most actual exploits in the wild continue to leverage old, well-known bugs due to pervasive slow patching. As defenders, focusing on quick, broad patching of high-value platforms—and being skeptical of dramatic vendor marketing—remains critical.

Hosts’ Closing Tone:
Witty, skeptical, and grounded, with both hosts poking fun at the industry’s tendency toward sensationalism and “magic” metrics, while reminding listeners that improved security practices often create seemingly alarming statistics as an artifact of better detection.