By Karla Reffold

Google issued a report this week about the proliferation of commercial spyware tools and the link to zero-days in their products.

In 2023, 20 of the 25 zero-days in Google products were exploited in the wild and attributed to commercial spyware vendors. This revelation highlights two important issues.

The first is the focus of the Google report. Commercial spyware is fueling the zero-day market. Throughout the history of cybersecurity, an underground market has existed for vulnerabilities. As researchers discover these vulnerabilities, they can sell them via bug bounty programs or to access brokers. In this case, researchers are selling them to either access brokers or spyware companies directly. These vulnerabilities can be chained together or paired with stolen credentials to provide spyware companies the access they need.

The second issue is more relevant to the wider industry. Zero-days are increasingly harder to find and are increasing in financial value. This limits the threat actors who can take advantage of them to the ones with the most resources. Typically, this would mean nation-state actors. However, they can also be utilized by well-resourced ransomware groups, particularly those who would target very large companies. It is important to point out that a majority of businesses are not the target of these groups.

There is a considerable amount of noise generated by cyber threat intelligence and the discovery of new vulnerabilities. Understanding which vulnerabilities to prioritize is a challenge, even for well-resourced teams.

Organizations should consider the following:

• Is the group exploiting this vulnerability likely to target my organization?
• If this vulnerability was exploited, what cybersecurity risk mitigations do I have in place, such as managed detection and response (MDR), data loss prevention (DLP), etc.?
• Are there other vulnerabilities being exploited by threat actors that are relevant to me that I should patch first?

Insurance companies should ask similar questions.

• Is this threat actor likely to target my clients?
• Have I helped my clients prioritize more relevant vulnerabilities such as those used in ransomware attacks?
• Do my clients have other cybersecurity risk mitigations in place and fast access to a response team?

This report draws attention to the concerning issue of commercial spyware and also provides a strong case for organizations to consider attribution and threat intelligence when prioritizing vulnerabilities.