Posted on February 4, 2021 at 11:53 AM
Threat Actors Are Finding It Very Easy To Exploit Zero-days, Google Says
Tech giant Google has hinted that companies are allowing threat actors to attack them over and over again because they are not doing the needful when it comes to security. The researchers pointed out several instances where enough was not done to protect servers, even after getting information about an exploit.
In December 2018, a group of threat actors who targeted Microsoft’s Internet Explorer was discovered by Google’s research team. But they didn’t succeed because any new development to the Explorer was shut down in 2016. However, the hackers’ activities show that they can stop at nothing to compromise any sever or system they find vulnerable.
The hackers who were looking for zero-day vulnerabilities say one exploit being used in the wild. Soon after that, another vulnerability was reported and being exploited by the same hacking group.
One of Google’s Project Zero security team Stone presented multiple instances where the vulnerabilities can be easily exploited and the challenges Google is facing with its popular Chrome browser.
“Incomplete patches are making it easier for attackers to exploit users with zero-days,” Stone pointed out.
Multiple exposures in the past
There were similar vulnerabilities in 2019 and 2020 that pointed to at least 5 zero-day vulnerabilities that were exploited from the same vulnerability class.
On several occasions, Microsoft issued multiple security alerts to warn companies about the hidden plans of the threat actors. While some of the companies didn’t fix the vulnerabilities, others only made minor changes that still left loopholes and possible exploitation.
“Once you understand a single one of those bugs, you could then just change a few lines and continue to have working zero-days,” the researchers stated.
The Google researchers pointed out that companies are making it easier for attackers because they no longer have to dig too deep to see a new vulnerability. Rather they are relying on the previously visible ones that were slightly updated. Google said hackers are now reusing lots of different vulnerabilities for exploits.
Project Zero is the cybersecurity wing of Google, whose responsibility is to locate and sort out zero-day flaws. The vulnerabilities are also seriously hunted by hackers and threat actors of different grades.
The security team was founded six years ago, but it has succeeded in tracking more than 150 major zero-day vulnerabilities.
Last year alone, the team disclosed about 24 vulnerabilities that were exploited, with a quarter of them having similar features with previously disclosed bugs.
Three of the vulnerabilities were not patched correctly, allowing the threat actors to easily tweak them and attack the systems. The Google team says several of such attacks are caused by basic mistakes.
Limited time and resources for security teams
Stone has given likely reasons why the companies are not able to fix their security bugs correctly. According to her, many of the security teams in the software companies do not have enough time and resources to provide patches to vulnerability as they should.
Since their incentives and priorities are flawed, they only try to correct the vulnerability they are alerted about, leaving the larger picture still open to more exploitation.
In many cases, a single vulnerability can be connected to other zero-day vulnerabilities. Even when the exposed vulnerability is corrected, it doesn’t make them unreachable by the threat actors. In the actual sense, many attackers do not just give up after a company has patched a vulnerability. They usually searched for more loopholes, believing that the discovery of a single bug means that other bugs probably exist within such a system.
Changing the security landscape
Other researchers have also collaborated on Stone’s statements. According to John Simpson of security firm Trend Micro, several zero-days he has discovered are basically the result of half-baked patches to vulnerability. The vendor fixed the vulnerability in a one-sided manner, allowing the threat actors to look into other vulnerability possibilities.
He added that organizations will continue to have serious cybersecurity issues if they don’t do more than fixing the vulnerability presented to them. They should do extra homework to make sure the entire line of security is intact. He added that money and time are needed to follow the right software security protocols.