Between Two Nerds: What drives 0day mass exploitation

A

Hello, everyone, this is Tom Muran. I'm here with the Grok for another between two nerds discussion. G', day, Grok. How are you?

B

G', day, Tom. Fine, and yourself?

A

I'm very well. This week's edition is brought to you by corelight. Corelight makes an open network detection and response platform, and you can find them@corelight.com so I'm looking at this, I guess it's a tweet and it's based on Mandiant now, Google's Threat Intelligence Group. So they have this report out. Unfortunately, it's not public, but there's a tweet and it's got a chart that's just plucked out of the report. And it's the historical Time to Exploit timeline is the title, and I'll just explain. Time to Exploit is Google's metric for defining the average number of days taken to exploit a vulnerability before or after a patch is released. So, for example, if a patch is released and it's exploited maliciously in the wild, a week later, the TTE would be seven. Now, conversely, if it's exploited maliciously in the wild a week before a patch is released, the TTE would be minus seven. And so the dramatic part of this chart is that the TTE over the last 1, 2, 3, 4 years, up till 2024, has gone from 63 days to. So that means that five years ago a patch was released and on average, the first exploitation occurred within six weeks, or around six weeks. And now in 2024, the first exploitation, on average, occurs the day before a patch is released. So this seems like a significant shift.

B

You say that, and yet somehow, like, if you look at the top five bugs being exploited by ransomware groups against enterprise targets, they all come from this era of 32 to 5 days. They're still being exploited, but they were patched in 2022. So I'm a little bit hesitant to say that this is a useful metric, just. Just in the sense that, like, it might be negative one days for the average time to exploit, but it's going to be exploited for the next five years. So does. Does five years in one day matter quite as much as, like, four years and 11 months?

A

Yeah. So when I first came across this metric, I was a bit bemused by it and I friend rang me up and the first thing he said to me was, what you've got to understand about cybersecurity metrics, or metrics produced by cybersecurity vendors is that they're made up for marketing purposes. So Google's come across this.

B

Would you say you are. That is a wild claim. I hope you have some evidence to back that up that feels this is.

A

A great metric because it gets worse and it's getting dramatically worse. This is a reason to go talk to your customers. There's that sort of dissonance where the most exploited bugs are not the most recent ones necessarily.

B

Right. I think that there's another problem I have with this, which is that doesn't seem to match with what we saw for 2024. Right. Like this is the year that this covers is 2024.

A

Yep.

B

And I certainly don't remember that the majority of exploitations was being done with O day at that point.

A

Right, Right. So the sort of nuance is it's the first known exploitation that's malicious, so it's not necessarily the majority. Like it feels like it could be misleading because you think it means one thing and then like when you dive into it, it actually means something else.

B

So it's just the very, very first time that they've seen this exploited as opposed to any. Right. So it's the first data point that they can get on this, which doesn't necessarily correlate to the volume of attacks.

A

Yep.

B

Right. Okay.

A

I went and looked at Google's Oday report. In fact, we both went and looked at it after reading this. And that report for 2024 is very much business as usual. There's O days. People are finding them.

B

Yeah. I think it had 70 something for that year, for 2024. 70, 75, whatever.

A

There were incremental shifts. There was a bit more focus on enterprise products. Commercial surveillance vendors were finding a few more. It wasn't revolutionary.

B

It wasn't a sea change. There wasn't a huge shift of like the first year we did this, we found three. And only two years later, now there's 3,000.

A

That's right, yeah. So the zero day report, not good marketing. This report, good marketing. Now the other thing that occurs is that this could just be a symptom of better detection. Right. So they're finding.

B

Yeah, because if you look at the data buckets, they've got. They've got 2018, 2019, et cetera, et cetera. 2018 versus 2024 detection. I'm not exactly sure it's night and day, but it's pretty close. That is like seven years is a significant period.

A

That's a lot of it's twilight versus midday, if not night and day.

B

So, yeah, it feels to me like that could be a collection Bias a collection error. Your collection has improved. And so you feel like you have. You feel like the trend has changed rather than your data set has improved.

A

Right, yeah. So, based on this tweet, Brian in Pittsburgh, who's I find quite an insightful Twitter account. I don't know who's behind it. Brian, presumably, but I don't know. He's riffed off that and noted that there's now a number of mass exploitation efforts that use zero days. And you disagreed. And I was thinking about the ones I could think of were Microsoft exchange in late 2020. I think it was early 21.

B

Maybe it was like. I think it was January of 21.

A

Yep. There was the recent SharePoint thing, which was a couple of months ago. And then there was a Barracuda email campaign, which was 23. I think I wrote it down somewhere a little while ago. But it. That's not actually a huge number.

B

No, I mean, like. And I'd say that if you're super generous, you could maybe say like wannacry. Even though it was after the patch came out, it was only like a couple months or something. And then NotPetya also exploited that. That was a mass exploitation. But again, it was. It wasn't a zero day. And those were worms, which I think. I think is a crucial difference.

A

Yeah, I think those is different because they weren't really about espionage. The other one I was thinking of actually were Klopp, the ransomware gang, who had a series of, I guess, mass campaigns against.

B

Right. That was in like 21, 22, 23 Enterprise Edge devices. Yeah.

A

And so they found they could just go exploit everything and they could make money out of it. So it made sense to just go hell for leather.

B

Right. Okay. So I think that there's a core commonality to these incidents which is very important. Right. So you've got clop going after enterprise systems that are exposed to the Internet but also tightly integrated into the core network.

A

In all those cases, they had valuable business data and what they were doing was stealing it and then just extorting the companies.

B

Right.

A

So they could immediately get on box and suck up whatever.

B

Yeah. Like they were going after like file access software, which is like a genre of software I didn't know existed until these guys started exploiting it. I mean, I use SSH and SCP and stuff, so I'm obviously not the target market for this sort of software. But, like, what was interesting with them was that they were paying for exploits against the specific software that was of value to them. They'd identified that this would be useful. They were going to pay money for anyone who could give them O day for it. And then they exploited that O day and they got money. So it was a very tight loop of like, this is a thing that will give us access to valuable data that we can then exploit for money. I think it's similar with the Exchange bug. Like if you get on Exchange, if you're doing intelligence collection, you're probably going to hack somewhere to get access to their email. There'll be other things, of course, but email is going to be very, very valuable. So if you can just get onto.

A

The email, you're on the high ground already. You've pretty much achieved 90% of your goal.

B

Right. Exactly what you want. I think it's similar with SharePoint. Right. It's a file server, it's going to have files that you want, so it's immediately valuable. I think if you look at this, the commonality with this mass exploitation of O days in all the cases we've seen so far is it's mass exploitation of O days that get you gold immediately. Yeah, it's like the 0 to 60 is exactly one hop. It gets you all the way there on the first try, as opposed to something that will get you access that you then need to pivot, you then need to sort of expand, hop somewhere else, do lateral like you don't like. There's no grunt work left.

A

Yeah, yeah. In both the exchange and SharePoint, it wasn't mass exploitation either until it was clear that there was a patch coming out.

B

Right.

A

So it seems like it was. I don't know, this is a hypothesis. Maybe it was driven by better detection in that it gets detected somehow they had intelligence or knew that a patch was coming out. And so at that point you're like, there's gold and then there hills. Let's go out and get it right now.

B

Yeah. So it was from the map, like.

A

The Microsoft Advanced Protection program.

B

Yeah. Right. So it was, here's a thing that we're going to patch in two days and you should have detections for it or whatever. And so from the point of that announcement going out, suddenly all of the exploitation started. Like they knew a patch was coming and they just did a land grab to get everything they could while the getting was good.

A

That makes perfect sense.

B

Yeah. Because as we said, it gets you immediately where you want to be.

A

So that dynamic, again, it could be driven by better detection. And so maybe that's being overly optimistic.

B

I think that that sort of incident probably happened before. But it seems to me like this is a very direct line from if you exploit this everywhere, you can get value from it. Basically, as soon as the exploit is finished running, using the capability allows you to exploit that resource immediately. So the capability will give you access to SharePoint that can be exploited immediately. Right. If you have a capability that gives you access to a web server in a dmz, you still have to do a lot of work before you can exploit that access. You still have to go from that DMZ into the network and then find the share point or the file server or the email server or whatever and then exploit it there. Right. So there's a lot of, a lot of work left to do. And so having a mass collection of access to these DMZ servers doesn't get you much closer than not having that access.

A

Right. The other thing you said before, which I think was interesting, was the mass use of ODE used to be pretty common.

B

Yeah. Yeah. So back when ODE was sort of free. So up until I think maybe 2008, 2010 even, I mean, this was the era where you could literally sit down on a Friday afternoon, find a bug, write an exploit, and then spend the weekend exploiting it. Right. Like, you could basically do that. So I remember for the first poem to own, I think it was K2 and Dino, but don't quote me on that. My recollection was that they basically, they showed up, they found out that there was going to be a pone to own the next day. So they sat down, they found a vulnerability, they wrote an exploit, and then they won the competition the next day. That's not a thing you do anymore these days. Pwn to own is multiple months of work to get ready. And so in an era where it was like, yeah, you could show up the day before, find the vulnerability, write the exploit and then use it, and then you could discard it because you don't need it again. Yeah, doing like, mass exploitation was a thing just because the, like, the time investment to get that ODA was so low that.

A

Right. I guess the chances of getting pinged were also probably lower as well. So that was, it was just happy days, maybe.

B

I mean, the other thing is that they lasted very, very long. I mean, I've seen archival exploits where you could see that it was like written in 2006, updated in 2007, 2009, 10, 12, 13, 15, patched in 2018, and it would be like, that is like you just have this amazing longevity of, of exploits.

A

I'm just thinking in my head that there's this period of cheap ode, poor detection and so they're just used widely.

B

Right.

A

Then we reach an era of more expensive ode, moderate detection. And so they're used cautiously and they kind of disappear as a thing that is used en masse. And now people are thinking ODA is expensive, but detection is also good. So as soon as you get pinged, you've invested all this time and money and effort and so you just want to get the most return you can. And so if you can just push it out as far as you can and get as much, seize as much high ground or mine as much gold as you can, like that's the way to get your return on investment. Even though it's been driven by improvements in detection and, and maybe even patching. Maybe.

B

Yeah. So that last thing that you said strikes me as maybe an important point here is that for most of the bugs that are getting exploited, they are multiple years old. There's a new report that came out on the top bugs being exploited by Russia in Ukraine. And the headline is Russia using zero click exploits against email. Sounds kind of scary. Then you look it up and it's like round cube webmail vulnerabilities that were patched in like 2022 or 2023. It kind of feels like that shouldn't be the headline that they're using these zero click exploits. The headline should be like people still haven't patched even though there's been a war on for the entire time.

A

Yeah. So I wonder if part of the dynamic is that the organizations that are really good targets for the type of people who could use oday like that, like Exchange or SharePoint, they are organizations that patch relatively quickly when there's an imminent threat. And so all the good stuff goes pretty quickly. It's like going to the local charity shop. Like if you don't, if you're not there when it opens, all the good stuff's gone and you can turn up later and get stuff for cheap. It's not the good stuff though.

B

Right? Like it's not empty when you show up later. It's just, you know, the $20 designer handbag got snatched up in the morning.

A

That's right, exactly.

B

Yeah. I kind of feel that the dynamic that was going on with the Exchange land grab was that it's not so much that they believed every exchange that they were hitting was going to be valuable, it's just that they farmed out the work to so many people and it was very much a, you know, Collect them all, sort them out afterwards. And I think that it was because that they knew that there would be a high percentage of valuable boxes that they had that they could then exploit afterwards for intelligence collection. Like they knew the bug was dead, so they were willing to just sort of take the risk of that mass exploitation. And I assume SharePoint fell into a sort of similar thing. And I think that it's an unusual set of circumstances.

A

Right. Yeah.

B

Where you have like an O day and it's immediately valuable and it's probably going to be patched at the people that you want it, that you'll want to use it against.

A

Yep.

B

Like therefore you're better off just getting as much as you can right now.

A

Yep.

B

And then figuring it out afterwards. It's very much, you know, hack them all.

A

Yeah. It feels like last seconds of a football match and go for Hail Mary to translate.

B

Yeah.

A

American listeners.

B

For me, the problem is I keep thinking of like it was during like the massacre of Magdenberg in the thirty Years War, where they were like, should we kill the Catholics and the Protestants or just the Protestants or just the Catholics? The bishop says kill them all. God will know his own.

A

Right.

B

That's what it feels like to me is that there's this whole, like, it's not my problem, just go for it.

A

Yeah. So that means that those mass exploitation events, even though they feel common, are actually rather unusual because they're that confluence.

B

Yeah. They're going to remain rare and exceptional just because you need a lot of stars to align for it to make sense. Right. It's not just access to O day that's not sufficient for this sort of event to take place. I think that, that, I mean the dynamic would be different if the ODE was publicly available. Then you'd have people exploiting it who weren't thinking about the value that they could get from it. So like an intelligence agency is making a calculated decision about how they're going to use this resource that they have and it's going to be directed and purposeful and they have a mission that they're trying to accomplish. And for them, that mission lining up with all of these variables, that's going to be a rare occasion when it does happen. Whereas I think if you just open it up to like everyone on the Internet, there's just enough dumb people who just want to exploit for exploiting's sake.

A

Right. Especially if there's good proof of concept code around on the Internet for people to just pick up and use.

B

And I think even more so if the capability gives you something useful in a way that you can, maybe you can deface it or maybe you can use it as a bounce server or maybe you can use it for anything that it gives you some sort of thing that you can exploit immediately. So for an intelligence agency there's a fairly high bar for exploiting something. You're looking for real data that you can use. For a ransomware group, I'm going to say it's a reasonably high bar as well. Like you need to be able to get access to something that's valuable to someone to exploit it. But if you're just like some random Joe Schmo kid on the Internet, I think that the bar is quite low because simply having access to a box is in itself a reward.

A

The journey is the destination, whereas for state backed hackers the journey is just a job.

B

Right. Can you imagine that? Like you love hacking and so you become like a government hacker, probably hate hacking.

A

You replace what you love with bureaucracy and performance reviews okrs.

B

I think in a way what this time to exploit metric, it feels a little bit like P hacking with those dubious science papers where they run an experiment and the results just are sort of inconclusive. So they look through and they try different sets of variables until they can find some sort of correlation that has a good P value.

A

Of being significant or something. What is it, 0.05 or something like.

B

This where the odds of this being a coincidence are astronomically low. And that's true, but it's because you've tried everything until you found the one coincidence. I'm not suggesting that this is exactly that style of mucking about, but that's sort of what it feels like. Is that right?

A

Right, right.

B

You sort of, you mess around with different things until you can find like the one trend that looks right, you know.

A

You think they've stumbled across the perfect cybersecurity metric.

B

Yeah, well, I think that they've just got so much data that you could look through it until you find something that matches the narrative you're trying to present.

A

Right, right. And I guess my hypothesis is that this is all driven by better detection and so in fact you're doing a better job actually makes the problem look worse. And so this is the perfect metric.

B

There you go. Like there's one way of showing that the crime statistics have gone down and that's to fire all the police and stop collecting statistics. And the other way is to do really good policing. But I think there's this in between stage where your policing is good enough that you're catching a large number of detected crimes that it looks worse than either of the other extremes. And I think that we're probably in that middle bit where we're getting better at detecting things going wrong and we're getting better at catching incidents.

A

Right, right, right. Next year, we can hope that the number's even worse.

B

Thanks a lot, Tom.

A

Thanks.