Why zero-day exploitation is rising, and what CISA is doing about it

Zero-day exploitation is on the rise—and the nation’s top cybersecurity watchdog warns that the feds are targets too.

In November, Cybersecurity and Infrastructure Security Agency (CISA) Associate Director for Capacity Building in Cybersecurity Michael Duffy warned attendees at the Imagine Nation ELC conference that the agency has noticed “really high increase in zero-day activity, exploits that we’re seeing across the globe, really affecting the federal government networks.”

Duffy added that 2023 had seen some of the first instances of ransomware attacks on federal targets, according to Cyberscoop.

Nasty surprises. The exact number of zero-day exploits discovered in the wild fluctuates year to year, but tends to rise over time. Maddie Stone, security researcher at Google’s Threat Analysis Group (TAG), wrote in July 2023 that researchers found 41 such zero days in 2022, down from 69 in 2021, though those years were the highest on record dating to 2014.

Similarly, security firm Mandiant tracked 55 exploited zero days in 2022—lower than the 81 it found in 2021, but almost double those it found in 2020. Jared Semrau, Mandiant Intelligence’s senior manager of vulnerability and exploitation, said 2023 is on track to be the highest year on record in their data.

Semrau attributed growth in zero days to three main groups of actors: state-sponsored hackers, financially motivated criminal organizations, and third-party offensive capability providers who sell exploits to governments. Modern software development practices also tend to result in common vulnerabilities down the road, he said, and patch development tends to focus on temporary mitigations rather than underlying causes.

“It’s not that zero days became more important,” Semrau told IT Brew. “The availability of them is increasing.”

Threat actors, whether state-sponsored groups or criminal gangs, have switched from primarily relying on shared exploit kits to developing their own zero days in-house—meaning there is “just kind of a natural need for increased development of zero days.”

Because they’re so expensive to develop, zero days tend to be used in targeted attacks. So, while more zero days might be being used in general, they’re not “necessarily impacting as wide a potential attacker base,” Semrau added.

Lindsey Cerkovnik, CISA’s industrial control systems (ICS) vulnerability disclosure lead, told IT Brew that certain kinds of vulnerabilities tend to pop up over and over.

“Buffer overflows, other memory-related vulnerabilities,” Cerkovnik said. “We see those quite commonly exploited as zero days…We also see things like improper input, improper neutralization.”

What CISA is doing about it. CISA’s “focus is on giving federal agencies the tools and capabilities they need to be able to respond quickly when zero days pop up,” not the trend line year over year, Doc McConnell, director of the agency’s Federal Enterprise Improvement Team, told IT Brew.

“We make that information available—required for the federal agencies to meet, available for critical infrastructure operators,” McConnell told IT Brew. The agency also operates the Continuous Diagnostics and Mitigation (CDM) program, which gives “direct, continuous visibility into the hardware and software assets that are actively in use across the federal government,” he added.

Cerkovnik said the agency is encouraging developers to adopt secure by design principles, as well as provide more complete Common Vulnerabilities and Exposures (CVE) information and switch to memory-safe programming.

“The first [principle] is ensuring CVE completeness…encouraging organizations like vendors and manufacturers who provide CVE record information to publish the root cause, or the common weakness enumeration,” Cerkovnik told IT Brew.

“Transitioning to the use of memory safe programming languages could potentially eliminate, or at least significantly reduce, that entire class of vulnerability,” Cerkovnik added.