Microsoft says it noticed an increase in state-backed threat actors and cybercriminals using publicly disclosed zero-day vulnerabilities over the past year to hack into target networks.
“While zero-day vulnerability attacks tend to initially target a limited set of organizations, they are quickly adopted into the larger threat actor ecosystem. This kicks off a race for threat actors to exploit the vulnerability as widely as possible before their potential targets install patches,” the tech giant wrote in its 114-page Digital Defense Report, adding that it only takes 14 days on average for an exploit to be available in the wild after public disclosure of a vulnerability.
The company noted that nation-state actors’ cyber targeting spanned the globe this past year, with a particularly heavy focus on businesses in the US and UK followed by organizations in Israel, the UAE, Canada, Germany, India, Switzerland, and Japan.
Although many state-backed hacker groups are known to develop zero-day exploits for unknown vulnerabilities, Chinese threat actors were especially prolific over the past year. Microsoft believes the spike is a result of China’s vulnerability reporting law that went into effect September 2021, which requires that all Chinese security researchers report new vulnerabilities they find to a state security authority.
“This new regulation might enable elements in the Chinese government to stockpile reported vulnerabilities toward weaponizing them. The increased use of zero days over the last year from China-based actors likely reflects the first full year of China’s vulnerability disclosure requirements for the Chinese security community and a major step in the use of zero-day exploits as a state priority,” the company notes.
The report lists five zero-days that were first exploited by Chinese actors: Zoho ManageEngine (CVE-2021-40539 and CVE-2021-44077), and one in SolarWinds Serv-U (CVE-2021-35211), Atlassian Confluence (CVE-2022-26134), and Microsoft Exchange (CVE-2021-42321).
According to Microsoft, nation state actors have also increased use of ransomware as a tactic in their attacks, often reusing ransomware developed by other cybercriminals. The company observed both Iran- and North Korea-based actors, leveraging commodity ransomware tools to damage targeted systems, often including critical infrastructure, within regional rivals.
Microsoft also said in its report that the proportion of cyberattacks carried out by nation states targeting critical infrastructure increased from 20% to 40%, largely due to the Russo-Ukrainian war and the terrorist state’s massive attacks on Ukraine’s infrastructure, as well as aggressive espionage targeting of Ukraine’s allies, including the US.