A zero-day exploit—a way to launch a cyberattack via a previously unknown vulnerability—is just about the most valuable thing a hacker can possess. These exploits can carry price tags north of $1 million on the open market.
And this year, cybersecurity defenders have caught the highest number ever, according to multiple databases, researchers, and cybersecurity companies who spoke to MIT Technology Review. At least 66 zero-days have been found in use this year, according to databases such as the 0-day tracking project—almost double the total for 2020, and more than in any other year on record.
But while the record-setting number grabs attention, it can be hard to know what it tells us. Does it mean there are more zero-days being used than ever? Or are defenders better at catching the hackers they would have previously missed?
“An increase is for sure what we’re seeing,” says Eric Doerr, vice president of cloud security at Microsoft. “The interesting question is what does it mean? Is the sky falling? I’m in the camp of ‘Well, it’s nuanced.’”
Hackers are “operating at full tilt”
One contributing factor in the higher rate of reported zero-days is the rapid global proliferation of hacking tools.
Powerful groups are all pouring heaps of cash into zero-days to use for themselves—and they’re reaping the rewards.
At the top of the food chain are the government-sponsored hackers. China alone is suspected to be responsible for nine zero-days this year, says Jared Semrau, a director of vulnerability and exploitation at the American cybersecurity firm FireEye Mandiant. The US and its allies clearly possess some of the most sophisticated hacking capabilities, and there is rising talk of using those tools more aggressively.
“We have this top tier of sophisticated espionage actors who are definitely operating at full tilt in a way we hadn’t seen in past years,” says Semrau.
Few who want zero-days have the capabilities of Beijing and Washington. Most countries seeking powerful exploits don’t have the talent or infrastructure to develop them domestically, and so they purchase them instead.
It’s easier than ever to buy zero-days from the growing exploit industry. What was once prohibitively expensive and high-end is now more widely accessible.
“We saw these state groups go to NSO Group or Candiru, these increasingly well-known services that let countries trade financial resources for offensive capability,” Semrau says. The United Arab Emirates, the United States, and European and Asian powers have all poured money into the exploit industry.
And cybercriminals, too, have used zero-day attacks to make money in recent years, finding flaws in software that allow them to run valuable ransomware schemes.
“Financially motivated actors are more sophisticated than ever,” Semrau says. “One-third of the zero-days we’ve tracked recently can be traced directly back to financially motivated actors. So they’re playing a significant role in this increase which I don’t think many people are giving credit for.”
Cyberdefenders have a better spotlight
While there may be an increasing number of people developing or buying zero-days, the record number reported isn’t necessarily a bad thing. In fact, some experts say it might be mostly good news.
No one we spoke to believes that the total number of zero-day attacks more than doubled in such a short period of time—just the number that have been caught. That suggests defenders are becoming better at catching hackers in the act.
You can look at the data, such as Google’s zero-day spreadsheet, which tracks nearly a decade of significant hacks that were caught in the wild.
One change the trend may reflect is that there’s more money available for defense, not least from larger bug bounties and rewards put forward by tech companies for the discovery of new zero-day vulnerabilities. But there are also better tools.
Defenders have clearly gone from being able to catch only relatively simple attacks to detecting more complex hacks, says Mark Dowd, founder of Azimuth Security. “I think this denotes an escalation in the ability to detect more sophisticated attacks,” he says.
Groups like Google’s Threat Analysis Group (TAG), Kaspersky’s Global Research & Analysis Team (GReAT), and Microsoft’s Threat Intelligence Center (MSTIC) have an enormous troves of talent, resources, and data—so much, in fact, that they rival an intelligence agency’s capabilities to detect and track adversary hackers.
Companies like Microsoft and CrowdStrike are among those that run detection efforts on a massive scale. Where old tools, such as antivirus software, meant fewer eyeballs on strange activity, today a large company can catch a small anomaly across millions of machines and then trace it back to the zero-day that was used to get in.
“Part of the reason you’re seeing more now is because we’re finding more,” says Microsoft’s Doerr. “We’re better at shining a spotlight. Now you can learn from what’s happening at all your customers, which helps you get smarter faster. In the bad situation where you see something new, that will impact one customer instead of 10,000.”
The reality is a lot messier than the theory, however. Earlier this year, multiple hacking groups launched offensives against Microsoft Exchange email servers. What started as a critical zero-day attack briefly became even worse in the period after a fix became available but before it was actually applied to users. That gap is a sweet spot hackers love to hit.
As a rule, however, Doerr is spot on.
Exploits are getting harder—and more valuable
Even if zero-days are being seen more than ever, there is one fact that all the experts agree on: they are getting harder and more expensive to pull off.
Better defenses and more complicated systems mean hackers have to do more work to break into a target than they did a decade ago—attacks are costlier and require more resources. The payoff, however, is that with so many companies operating in the cloud, a vulnerability can open millions of customers up to attack.
“Ten years ago, when everything was on premises, a lot of the attacks only one company would see,” says Doerr, “and few companies were equipped to understand what was going on.”
Faced with improving defenses, hackers often must link together multiple exploits instead of using just one. These “exploit chains” require more zero-days. Success at spotting these chains is also part of the reason for the steep rise in numbers.
Today, says Dowd, attackers are “having to invest more and risk more by having these chains to achieve their goals.”
One important signal comes from the rising cost of the most valuable exploits. The limited data available, such as Zerodium’s public zero-day prices, shows as much as a 1,150% rise in the cost of the highest-end hacks over the last three years.
But even if zero-day attacks are harder, the demand has risen, and supply follows. The sky might not be falling—but neither is it a perfectly sunny day.