Of the roughly 35 million business entities in the United States today, all but a small fraction are seriously outgunned by today’s cyber attackers. But even those well-prepared organizations with sophisticated cybersecurity programs are hard pressed to defend against zero-day attacks. A zero-day vulnerability is a security flaw that is disclosed to the public at the same time the maker of the vulnerable software learns about it. Effectively, the vendors have “zero days” to prepare a fix, and users have “zero days” to protect their vulnerable systems against attackers who want to exploit that flaw. Just a few years ago, zero-days were primarily the provenance of government agencies and military contractors, but today, a wide range of threat actors are exploiting zero-days in the wild.
During a recent Nokoyawa ransomware campaign1, for example, cyber criminals launched highly sophisticated attacks that leveraged a Windows zero-day vulnerability to mount financially motivated ransomware attacks against businesses around the world. Microsoft quickly issued a patch, but attackers had already started exploiting the vulnerability to launch ransomware attacks months before the patch was even created. Organizations with systems that were vulnerable may have been compromised without even knowing it, so even after patching zero-day vulnerabilities, attackers may quietly remain inside compromised networks unless security teams hunt them down and root them out. Such persistence typically leads to devastating ransomware and data breach attacks.
Zero-day exploits have been used in many high-profile cyber attacks such as the WannaCry attack2 that affected hundreds of thousands of computers in over 150 countries, causing billions of dollars in damages. The SolarWinds attack3 impacted many of its 18,000 customers, including U.S. government agencies and private companies globally. Some zero-day exploits have the capability to inflict widespread, or even catastrophic damage, either directly by attacking systems that are ubiquitous (like the Log4Shell zero-day4), or by causing cascading failures such as an attack against an electric utility, a DNS provider or a major cloud provider.
The skills required to develop zero-day exploits (the software code used to leverage a zero-day vulnerability for an attack) are highly valued and like sophisticated weapons, a range of markets exist where such exploits are bought and sold. There are different types of zero-day markets, including public markets, private markets, and gray markets. Public markets are open to anyone, while private markets are invitation-only. Gray market participants may be ethical hackers or security researchers who have discovered vulnerabilities and exploits. Government agencies and large corporations may also seek to purchase these vulnerabilities for intelligence gathering or to protect their own systems. Transactions on these markets are often conducted anonymously using cryptocurrencies, but it is known that some zero-day exploits have sold for millions of dollars. It is worth noting that these markets provide economic incentives that have resulted in a rapidly growing supply of zero-day exploits, and their widespread use by an ever increasing range of threat actors and financially motivated cyber criminals.
While zero-day exploits are valuable to cyber criminals and nation-states looking to conduct espionage or other malicious activities, they can also have severe consequences for the affected insureds and insurers. Therefore, it is crucial to have proper measures in place to identify and mitigate zero-day vulnerabilities to prevent potential harm.
A Concern for Insurers
Insurers are concerned about zero-day exploits since they are hard to predict and could lead to significant systemic impacts to their portfolios. For example, if one or more of the big cloud providers or other widely used software-as-a-service providers were to be hit with a zero-day exploit like the one that took down Rackspace’s hosted Exchange service5 for several weeks at the end of 2022, the result could lead to a very material impact to insurance portfolios. In addition, while attackers are quick to exploit zero-day vulnerabilities, systems administrators are not always so fast. Approximately 60,000 Exchange servers remain unpatched and vulnerable6, more than two months after Microsoft released a patch for the zero-day. Even large organizations with adequate resources sometimes lack resources with the knowledge required to adequately address these problems, resulting in systems with zero-day vulnerabilities unpatched and publicly exposed for months or even years.
For this reason, it is critically important for insurers to maintain continuous visibility into zero-days and other critical vulnerabilities and find ways to proactively identify and mitigate these risks to protect their portfolios from potential aggregate losses. This can also result in a reduction in insurer profitability, increased capital requirements, and possible rating downgrades from credit rating agencies.
CyRisk is committed to helping insurers identify and monitor zero day and ransomware vulnerabilities across their portfolios. For information on CyRisk’s Zero Day Detection and Ransomware Detection products visit our website: https://cyrisk.com/cyrisk-zed or at Sales@CyRisk.com
4 - https://www.techzine.eu/blogs/security/105864/log4shell-in-2023-big-impact-still-reverberates/