xorl %eax, %eax

Overview of 0days seen in the wild the last 7 years

leave a comment »

Starting in 2019 Google’s Project Zero (P0) team published a tracker for all 0days that were discovered to be exploited in-the-wild (either by Google or others). The data from this tracker start from August 2014 and continue to this day (for this post that is October 2021).

Using this data source, I created some simple graphs to better understand the 0day threat landscape for all of us tasked with cybersecurity responsibilities.

There are however a couple of assumptions I’m making by using this data set, those assumptions are:

  • This is a representative sample of all the 0days used in the wild
  • The data collected in this tracker are accurate

So, let’s start first of all with the trend which is one of least useful graphs but the one people are regularly interested in. The reason why this is generally useless is because the dates are the dates when those 0days were officially patched, not when they were initially acquired by the threat actors, or their first operational use. Additionally, those patching dates rely on the cybersecurity industry and community actively working to discover and remediate 0days in the wild. So, there might have been periods that those companies/people had different priorities and didn’t dedicate as much time on threat hunting and remediation for 0days.

For all those reasons, I do not consider the following one particularly useful but added it here for completeness. If there was any conclusion someone could make from this is that the end of the year and early winter is consistently the period were the least amount of 0day discoveries and mitigations happen.

A far more interesting statistic is which are the top targets. That can help us focus on what is more likely to get hit with 0days in the future. Looking at the statistics for the last 7 years (2014-2021) it is clear that by far the top target is Microsoft (50%), followed by Adobe (13.9%), Google (11.9%), and then Apple (10.3%).

Later in this post I’ll go into more details on the each of the products most commonly targeted on those vendors, which can help us drive our priorities (e.g. where to hunt for more, what to protect more, which are the highest risk vendors) or even understand what most threat actors are interested in acquiring.

The second high-level overview graph that is particularly interesting is the type of vulnerability exploited where we see that 71.1% was memory corruption, and 16% was a logic/design flaw. This is another interesting metric since it can help us prioritize our efforts in those issues.

Interestingly, those are also typically some of the hardest to thoroughly audit (especially in an automated manner) and this might also be a factor on why they were the most frequently used. I mean the combination of being hard to discover vulnerability via the automated means most vendors are using, and the fact that they typically enable a wide variety of exploitation avenues.

Now in the next part I’ll be going through each of the top 5 vendors affected by 0days in the wild and see which of their products were targeted the most. Again, to help us prioritize our efforts accordingly.

#1 Microsoft (50% of all discovered 0days were for this vendor)

  • Windows (46.4%)
  • Internet Explorer (22.7%)
  • Office (13.4%)
  • Windows kernel (8.2%)
  • All the rest: Exchange, VBScript, XML Core Services, Defender (9.2%)

#2 Adobe (13.% of all discovered 0days were for this vendor)

  • Flash (85.2%)
  • Reader (14.8%)

#3 Google (11.9% of all discovered 0days were for this vendor)

  • Chrome (95.7%)
  • Android (4.3%)

#4 Apple (10.3% of all discovered 0days were for this vendor)

  • iOS (55%)
  • WebKit (40%)
  • MacOS (5%)

#5 Mozilla (3.6% of all discovered 0days were for this vendor)

  • Firefox (100%)

The final graph that I found particularly useful to understand the threat landscape is the average patching time per each of those top 5 affected vendors. For this one, please note that the Google tracker does not have a data for all entries. Specifically, 94.85% of the entries include both dates (discovery and patching) so this is what was used for the following calculations.

In total the average patching time was 22.67 days from the discovery time to the patch being publicly available, but below you can also see this metric per vendor.

The average patching time (from discovery to patch being publicly available) for each of the top 5 affected vendors are:

  1. Microsoft: Average of 41.2 days between discovery and patching
  2. Adobe: Average of 8.1 days between discovery and patching
  3. Google: Average of 5.3 days between discovery and patching
  4. Apple: Average of 9 days between discovery and patching
  5. Mozilla: Average of 6.2 days between discovery and patching

Based on the above data, Microsoft is the highest risk vendor if we combine the amount of 0days found in the wild and the average patching time of 41 days. So, maybe your strategy should involve minimizing the use of those products and services, or spending more resources in security controls around them.

Another valuable insight that we can derive is that the most targeted software by adversaries that employ 0day exploits are web browsers and mobile phones. Especially for the latter (mobile phones), it’s an area where most organizations do not pay sufficient attention to secure them, at least not the same level as their core infrastructure services.

I’m certain there are many more assessments that can be made using the above data but hopefully that gives you a starting point and a source of inspiration on how to get strategic value from tactical information such as 0day exploits discovered in the wild.

Written by xorl

October 19, 2021 at 16:26

Offensive Security Private Companies Inventory

with 2 comments

In the weekend I started a small project to maintain an inventory of any private companies that are publicly mentioned to have some supporting role in offensive nation-state cyber operations. Whether that is 0day brokers, software implant providers, and anything else in between.

You can find the full list here.

I’d like to say a big THANKS to all those people that contacted me and shared with me information on such companies. However, just to clarify, the list is based on OSINT so although I know that you, me, and others in our domain know of many more companies that play such a role in offensive cyber operations, I cannot list them unless there is a public reference of them being involved in this “game”.

As always, please let me know if you see anything wrong or anything missing. All changes are listed in the ChangeLog at the bottom of the inventory for transparency and change control.

Written by xorl

October 18, 2021 at 14:44

x33fcon: In nation-state actor’s shoes

leave a comment »

x33fcon is a cybersecurity conference that I had the opportunity to attend a couple of times the previous years. This year I decided to submit a topic, and eventually it was accepted. This meant that in 2021 I also had the honour to present at x33fcon. My talk was titled “In nation-state actor’s shoes” and its goal was to give a different perspective, mainly to blue teamers, about nation-state actors.

So, I regularly use the following quote when talking about security:

If you know the enemy and know yourself, you need not fear the result of a hundred battles

Sun Tzu, The Art of War

I like it because it summarizes perfectly the challenge any security organization faces. No matter how well you know your environment, and how well you think you’re protecting it, unless you know equally well your adversaries you’ll fail. So, my talk was about this. What can we learn about nation-state actors by studying leaked material, and how can we use this to protect our organizations more effectively.

I really enjoyed researching this subject and making this talk possible since it combined multiple areas that I regularly find myself involved with. Espionage history, threat research, cryptology, security engineering, training people, etc. If you want to watch it, the x33fcon team has published it (along with all the other talks, check them out too!) in the conference’s channel on YouTube.

On a final note, I’d like to thank the amazing x33fcon team for making this event possible in this flawless manner, and for giving me the opportunity to present this research to that audience. Also, I have done a few virtual conference talks the past couple of years but this was the first time that in the speaker package there was a framed certificate of appreciation together with a beautiful hoodie. Thanks a lot x33fcon team and hope to see you again next year!

Written by xorl

August 15, 2021 at 20:32

My ICCH talk on DE-59 cipher machine

leave a comment »

On July 10, 2021 I had the great honor to present a talk at the International Conference on Cryptologic History (also known as ICCH). Espionage and secure communications history is one of my hobbies for quite some time, and I had even started a Youtube channel last year to share artefacts from my collection, but that talk was a whole new level for me.

In this case I did a far more thorough, multi-month long, research on an OTT-based (One Time Tape) cipher machine used by the Greek government during the Cold War, the DE-59. The device was recently declassified but still there are very few details about it online.

The event was amazing and, as always, the participants included some of the most key people of the cryptologic history space. I would have never even dreamed of meeting those people, not even talking about presenting some cryptologic history content to them and receiving positive feedback about it.

So, excluding the introduction, the talk was revolving about the DE-59. Specifically, I talked about:

  • biographical information of the people behind it
  • situation in Greece at that time
  • its invention
  • how it worked and where it was used
  • pros/cons (based on information from actual users of the device)
  • its (known) cryptanalytic history (AKA foreign intelligence attempts to break it)
  • its decommissioning
  • the important role its inventor played to secure communications in Greece

Before closing, I’d like to thank the following since without them this talk would never have been possible.

  • Association of Retired Signal Corps Officers (ΣΑΑΔΒ)
    • The only DE-59s in display are in this association’s museum, and all the people there were extremely helpful in providing me with all sorts of help and support while doing my research for this talk. If you ever consider donating your radio or crypto equipment, please consider giving it to the museum of this association. If you’re unsure on how to do this, reach out to me and I’ll be happy to help.
  • Tom Perera, Ph. D.
    • Now, if you are into cryptologic history you definitely know who Dr. Tom Perera is. So, this extremely experienced, dedicated, and influential cryptology expert helped me overcome my fear of presenting in front of such an audience of world leaders in cryptology. Thank you for all the support!

Written by xorl

July 19, 2021 at 11:09

BSides Athens 2021: .GR TLD hijacking

leave a comment »

Last year I presented a high-level/strategic cyber threat landscape for Greece as a country. My methodology back then was to split the threats to three broad categories (hacktivism, cyber-crime, and cyber-espionage) and do my research from a historical perspective. Meaning, what has been happening in the past and what assessments we can make from that for the future.

This year I wanted to do something different, move to the tactical level and talk about a specific cyber-espionage operation targeting Greece. Thankfully, my submission was accepted and in mid-June I got the opportunity to present my research which is currently publicly available through BSides Athens official Youtube channel.

I had to rush this talk a little bit due to time constraints, but hopefully I did it on the less important parts, leaving sufficient time to go through the more crucial parts of the presentation.

If you want to know more about the talk, you can watch the video. Here I’d like to use this space to encourage more people to talk about those lesser known cyber-espionage activities since it’s easy to get sucked into the large players like the, so-called, “big 4” threats to the US government, the FIVE EYES, and others. What about the rest of the world though?

Greece is an example of that. Although a small country, I had many recent and interesting cases to choose from for this talk. Multiple Turla operations, numerous cyber-espionage operations from FIVE EYES and China… But this one was one of those subtle, yet very impactful operations for the general region, also considering the past operations of this threat actor (see the presentation for an overview of those).

So, if you’re reading this and you’re looking for research topics for your next presentation, consider researching something regional, something not so well known outside of your country… This will help everyone improve their situational awareness, and who knows… You might even uncover a previously unknown nation-state actor.

On a final note, I’d like to give a huge thanks to the BSides Athens team for all their hard work before, during, and after the event, as well as Cisco TALOS who was the only one that publicly released some IOCs for this operation. Those were the most valuable starting point for my research. Lastly, after my talk I had the opportunity to learn many more details about this, and other, operations from several organizations that reached out to me, and I’d like to thank them too for all the feedback, knowledge, and experience they shared with me.

Written by xorl

July 7, 2021 at 12:01