Takeaways from the Google Report on Zero-days
By Karla Reffold
Google issued a report this week about the proliferation of commercial spyware tools and the link to zero-days in their products.
In 2023, 20 of the 25 zero-days in Google products were exploited in the wild and attributed to commercial spyware vendors. This revelation highlights two important issues.
The first is the focus of the Google report. Commercial spyware is fueling the zero-day market. Throughout the history of cybersecurity, an underground market has existed for vulnerabilities. As researchers discover these vulnerabilities, they can sell them via bug bounty programs or to access brokers. In this case, researchers are selling them to either access brokers or spyware companies directly. These vulnerabilities can be chained together or paired with stolen credentials to provide spyware companies the access they need.
The second issue is more relevant to the wider industry. Zero-days are increasingly harder to find and are increasing in financial value. This limits the threat actors who can take advantage of them to the ones with the most resources. Typically, this would mean nation-state actors. However, they can also be utilized by well-resourced ransomware groups, particularly those who would target very large companies. It is important to point out that a majority of businesses are not the target of these groups.
There is a considerable amount of noise generated by cyber threat intelligence and the discovery of new vulnerabilities. Understanding which vulnerabilities to prioritize is a challenge, even for well-resourced teams.
Organizations should consider the following:
- Is the group exploiting this vulnerability likely to target my organization?
- If this vulnerability was exploited, what cybersecurity risk mitigations do I have in place, such as managed detection and response (MDR), data loss prevention (DLP), etc.?
- Are there other vulnerabilities being exploited by threat actors that are relevant to me that I should patch first?
Insurance companies should ask similar questions.
- Is this threat actor likely to target my clients?
- Have I helped my clients prioritize more relevant vulnerabilities such as those used in ransomware attacks?
- Do my clients have other cybersecurity risk mitigations in place and fast access to a response team?
This report draws attention to the concerning issue of commercial spyware and also provides a strong case for organizations to consider attribution and threat intelligence when prioritizing vulnerabilities.
Share News
New SIM Swapping Attacks
By Karla Reffold According to new research, eSIM cards are being hijacked for cyber attacks. eSIM cards are remotely programmable chips that are stored within ... Learn More
Google engineer stealing AI secrets
By Karla Reffold The U.S. Department Of Justice announced this week an indictment against an engineer who stole Google’s intellectual property (IP) while he worked ... Learn More
Enhancing Cybersecurity: Recent Vendor Advancements
By Karla Reffold In the past few weeks there has been a number of positive vendor updates focused on improving security for their users. Apple ... Learn More