Cybersecurity

Reports find spikes in vulnerability exploits

One problem with zero days? Zero time to patch.
article cover

Feifei Cui-Paoluzzo/Getty Images

· 3 min read

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

Recent industry reports have highlighted a high percentage of vulnerability exploits—and an early lead for attackers against organizations looking to find a patch.

  • Mandiant’s M-Trends, released in April, noted that exploits beat out phishing (second) and prior compromises (third) as the “most prevalent adversary initial infection vector” in the company’s annual study of incident response investigations. Some 38% of intrusions began with an exploit—a 6% increase from 2022, according to the research.
  • Verizon’s Data Breach Investigations Report, published in May, revealed a 180% increase YoY in vulnerability exploits as an initial step in a breach.
  • Rapid7’s 2024 Attack Intelligence Report, published on May 21, found that for the second time in three years, more mass compromise events arose from zero-day, or unknown, vulnerabilities than from the known, n-day vulnerabilities.

Verizon discovered a five-day median time for detecting exploitation of the Cybersecurity Infrastructure and Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog. (Verizon also found that orgs, on average, took about 55 days to remediate 50% of CISA KEVs once patches became available.)

“There’s a giant gap there in targets of opportunity for the threat actors,” Chris Novak, senior director of cybersecurity consulting at Verizon Business, told IT Brew.

A May post from the cyber threat intelligence company VulnCheck showed that 31% of vulnerabilities found via the company’s exploit and vulnerability intelligence service have at least one proof-of-concept exploit available. Patrick Garrity, security researcher at VulnCheck, said the availability makes exploits easier to leverage—easier, perhaps, than credential compromises that require defeating multi-factor authentication (MFA).

“Threat actors see opportunistically that credential compromise, with MFA being implemented, might be getting harder. And so naturally, they’re moving up the stack to the next low-hanging fruit from an attack perspective, which is exploitation,” Garrity told IT Brew.

Garrity recommends orgs reduce the attack surface, shutting down firewall port access, and updating and reducing dependency on internet-facing management devices like SSL VPNs. (Network devices are a popular target, according to Rapid7’s report, which found that “mass compromise events stemming from exploitation of network edge devices have almost doubled since the start of 2023, with 36% of widely exploited vulnerabilities occurring in network perimeter technologies.”)

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.