Zero-Day Exploitation Increasingly Demonstrates Access to Money, Rather
than Skill — Intelligence for Vulnerability Management, Part One

One of the critical strategic and tactical roles that cyber threat
intelligence (CTI) plays is in the tracking, analysis, and
prioritization of software vulnerabilities that could potentially
put an organization’s data, employees and customers at risk. In this
four-part blog series, FireEye
Mandiant Threat Intelligence
highlights the value of CTI in
enabling vulnerability management, and unveils new research into the
latest threats, trends and recommendations.

FireEye Mandiant Threat Intelligence documented more zero-days
exploited in 2019 than any of the previous three years. While not
every instance of zero-day exploitation can be attributed to a tracked
group, we noted that a wider range of tracked actors appear to have
gained access to these capabilities. Furthermore, we noted a
significant increase over time in the number of zero-days leveraged by
groups suspected to be customers of companies that supply offensive
cyber capabilities, as well as an increase in zero-days used against
targets in the Middle East, and/or by groups with suspected ties to
this region. Going forward, we are likely to see a greater variety of
actors using zero-days, especially as private vendors continue feeding
the demand for offensive cyber weapons.

Zero-Day Usage by Country and Group

Since late 2017, FireEye Mandiant Threat Intelligence noted a
significant increase in the number of zero-days leveraged by groups
that are known or suspected to be customers of private companies that
supply offensive cyber tools and services. Additionally, we observed
an increase in zero-days leveraged against targets in the Middle East,
and/or by groups with suspected ties to this region.

Zero-Day Exploitation Increasingly Demonstrates Access to Money, Rather
than Skill — Intelligence for Vulnerability Management, Part One

Examples include:

  • A group described by researchers as Stealth
     and FruityArmor is
    an espionage group that has reportedly targeted
    journalists and activists in the Middle East
    . In 2016, this
    group used malware sold by NSO group, which leveraged three iOS
    zero-days. From 2016 to 2019, this group used more zero-days than
    any other group.
  • The activity dubbed SandCat in open
    sources, suspected to be linked to Uzbekistan
    state intelligence
    , has been observed using zero-days in
    operations against targets in the Middle East. This group may have
    acquired their zero-days by purchasing malware from private
    companies such as NSO group, as the zero-days used in SandCat
    operations were also used in Stealth Falcon operations, and it is
    unlikely that these distinct activity sets independently discovered
    the same three zero-days.
  • Throughout 2016 and 2017,
    activity referred to in open sources as BlackOasis,
    which also primarily targets entities in the Middle East and likely
    acquired at least one zero-day in the past from private
    company Gamma Group
    , demonstrated similarly frequent access to
    zero-day vulnerabilities.

We also noted examples of zero-day exploitation that have not been
attributed to tracked groups but that appear to have been leveraged in
tools provided by private offensive security companies, for instance:

  • In 2019, a zero-day exploit in WhatsApp (CVE-2019-3568) was reportedly
    used to distribute spyware
    developed by NSO group, an Israeli
    software company.
  • FireEye analyzed activity targeting a
    Russian healthcare organization that leveraged a 2018 Adobe Flash
    zero-day (CVE-2018-15982) that may be linked to leaked source code
    of Hacking Team.
  • Android zero-day vulnerability
    CVE-2019-2215 was reportedly
    being exploited in the wild
    in October 2019 by NSO Group

Zero-Day Exploitation by Major Cyber Powers

We have continued to see exploitation of zero days by espionage
groups of major cyber powers.

  • According to researchers, the Chinese espionage group APT3
    exploited CVE-2019-0703 in targeted
    attacks in 2016
  • FireEye observed North Korean group
    APT37 conduct a 2017 campaign that leveraged Adobe Flash
    vulnerability CVE-2018-4878. This group has also demonstrated an
    increased capacity to quickly exploit vulnerabilities shortly after
    they have been disclosed.
  • From December 2017 to January
    2018, we observed multiple Chinese groups leveraging CVE-2018-0802
    in a campaign targeting multiple industries throughout Europe,
    Russia, Southeast Asia, and Taiwan. At least three out of six
    samples were used before the patch for this vulnerability was
  • In 2017, Russian groups APT28
    and Turla leveraged multiple zero-days
    in Microsoft Office

In addition, we believe that some of the most dangerous state
sponsored intrusion sets are increasingly demonstrating the ability to
quickly exploit vulnerabilities that have been made public. In
multiple cases, groups linked to these countries have been able to
weaponize vulnerabilities and incorporate them into their operations,
aiming to take advantage of the window between disclosure and patch application. 

Zero-Day Use by Financially Motivated Actors

Financially motivated groups have and continue to leverage
zero-days in their operations
, though with less frequency than
espionage groups.

In May 2019, we reported that FIN6 used a Windows server 2019
use-after-free zero-day (CVE-2019-0859) in a targeted intrusion in
February 2019. Some evidence suggests that the group may have used the
exploit since August 2018. While open sources have suggested that the
group potentially acquired the zero-day from criminal underground
actor “BuggiCorp,”
we have not identified direct evidence linking this actor to this
exploit’s development or sale.


We surmise that access to zero-day capabilities is becoming
increasingly commodified based on the proportion of zero-days
exploited in the wild by suspected customers of private companies.
Possible reasons for this include:

  • Private companies are likely creating and supplying a larger
    proportion of zero-days than they have in the past, resulting in a
    concentration of zero-day capabilities among highly resourced
  • Private companies may be increasingly providing
    offensive capabilities to groups with lower overall capability
    and/or groups with less concern for operational security, which
    makes it more likely that usage of zero-days will be observed.

It is likely that state groups will continue to support internal
exploit discovery and development; however, the availability of
zero-days through private companies may offer a more attractive option
than relying on domestic solutions or underground markets. As a
result, we expect that the number of adversaries demonstrating access
to these kinds of vulnerabilities will almost certainly increase and
will do so at a faster rate than the growth of their overall offensive
cyber capabilities—provided they have the ability and will to spend
the necessary funds.

Register today to hear FireEye Mandiant Threat Intelligence experts
discuss the latest in vulnerability
threats, trends and recommendations
in our upcoming April 30 webinar. 

Sourcing Note: Some vulnerabilities and zero-days were identified
based on FireEye research, Mandiant breach investigation findings,
and other technical collections. This paper also references
vulnerabilities and zero-days discussed in open sources including 

Project Zero’s zero-day “In the Wild” Spreadsheet

. While we believe these sources are reliable as used in this
paper, we do not vouch for the complete findings of those sources.
Due to the ongoing discovery of past incidents, we expect that this
research will remain dynamic.

By admin