Zero-Day Surge Led to More Rapid Exploitation of Bugs in 2021

New vulnerability study shows how "attacker economies of scale" have shaped the risk landscape.

JVPhoto via Alamy

Twice as many zero-day software vulnerabilities were exploited last year before vendors even had the chance to patch them than in 2020, and more than half of the most impactful vulnerabilities started with a zero-day exploit, a new study shows.

Rapid7 studied the 50 most high-impact vulnerabilities from 2021 that were most likely to threaten businesses, 43 of which were exploited in the wild -- including 20 that were exploited before a patch was available. The research shows that more than half of the exploited vulnerabilities in the study were exploited in attacks within a week of their public disclosure, and the average time to known exploitation accelerated to 12 days in 2021 from 42 days in 2020.

Not surprisingly, some 60% of the widespread vulnerability threats have been deployed in ransomware attacks, as overall, wide-swath attacks that were less targeted and more opportunistic rose last year, the report says.

"Attacker economies of scale have played a big part here — it's increasingly common for critical vulnerabilities in popular technology to be weaponized quickly by ransomware and coin-mining groups whose operations rely on widespread exploitation to profit. We've also seen instances where two or three or more APT groups are exploiting critical vulnerabilities alongside more opportunistic attackers," says Caitlin Condon, vulnerability research manager at Rapid7. And the industry is seeing more of these attacks because there's more visibility and sharing of that information, she says.

"There's consensus that zero-day attacks hit an all-time high in 2021. We intentionally weren't indexing on zero-day exploits in our data, and still we saw a big uptick in zero-day attacks. Worse, more than half of *widespread* threats began with a zero-day exploit. That's insane," Condon tweeted today.

According to Rapid7's report, which details the vulnerabilities and attack chain trends including the well-documented Microsoft Exchange and Windows Print Spooler vulns exposed and attacked last year, the surge in zero-day attacks was the main reason for the narrowed window in exploitation time, all of which put organizations under added pressure to respond to the newest threats and patching response.

"First and foremost, security and IT teams have been operating in a highly elevated threat climate. We can validate that with data — these folks have been working triple-time combating threats over the past year and a half, and their jobs have included complex risk communications as well as actual operations work. Many of them have been working with limited resources in part because of the lingering effects of the pandemic," Condon told Dark Reading. "Second, in a world where mass exploitation is starting within days or hours of disclosure, it's critically important for organizations to be good at the basics of vulnerability risk management so they can define and iterate on emergency procedures."

Layered defense, too, is key here, Condon says. "One of the most paradoxical parts of an elevated risk climate is that guidance remains steady. Think of this as weathering a tough economy: Diversify, don't panic, and take a long view."

About the Author

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights