3 min read

Zero-Day Surge Led to More Rapid Exploitation of Bugs in 2021

New vulnerability study shows how "attacker economies of scale" have shaped the risk landscape.

Twice as many zero-day software vulnerabilities were exploited last year before vendors even had the chance to patch them than in 2020, and more than half of the most impactful vulnerabilities started with a zero-day exploit, a new study shows.

Rapid7 studied the 50 most high-impact vulnerabilities from 2021 that were most likely to threaten businesses, 43 of which were exploited in the wild -- including 20 that were exploited before a patch was available. The research shows that more than half of the exploited vulnerabilities in the study were exploited in attacks within a week of their public disclosure, and the average time to known exploitation accelerated to 12 days in 2021 from 42 days in 2020.

Not surprisingly, some 60% of the widespread vulnerability threats have been deployed in ransomware attacks, as overall, wide-swath attacks that were less targeted and more opportunistic rose last year, the report says.

"Attacker economies of scale have played a big part here — it's increasingly common for critical vulnerabilities in popular technology to be weaponized quickly by ransomware and coin-mining groups whose operations rely on widespread exploitation to profit. We've also seen instances where two or three or more APT groups are exploiting critical vulnerabilities alongside more opportunistic attackers," says Caitlin Condon, vulnerability research manager at Rapid7. And the industry is seeing more of these attacks because there's more visibility and sharing of that information, she says.

"There's consensus that zero-day attacks hit an all-time high in 2021. We intentionally weren't indexing on zero-day exploits in our data, and still we saw a big uptick in zero-day attacks. Worse, more than half of *widespread* threats began with a zero-day exploit. That's insane," Condon tweeted today.

According to Rapid7's report, which details the vulnerabilities and attack chain trends including the well-documented Microsoft Exchange and Windows Print Spooler vulns exposed and attacked last year, the surge in zero-day attacks was the main reason for the narrowed window in exploitation time, all of which put organizations under added pressure to respond to the newest threats and patching response.

"First and foremost, security and IT teams have been operating in a highly elevated threat climate. We can validate that with data — these folks have been working triple-time combating threats over the past year and a half, and their jobs have included complex risk communications as well as actual operations work. Many of them have been working with limited resources in part because of the lingering effects of the pandemic," Condon told Dark Reading. "Second, in a world where mass exploitation is starting within days or hours of disclosure, it's critically important for organizations to be good at the basics of vulnerability risk management so they can define and iterate on emergency procedures."

Layered defense, too, is key here, Condon says. "One of the most paradoxical parts of an elevated risk climate is that guidance remains steady. Think of this as weathering a tough economy: Diversify, don't panic, and take a long view."