One of the critical strategic and tactical roles that cyber threat
intelligence (CTI) plays is in the tracking, analysis, and
prioritization of software vulnerabilities that could potentially
put an organization’s data, employees and customers at risk. In this
four-part blog series, FireEye
Mandiant Threat Intelligence highlights the value of CTI in
enabling vulnerability management, and unveils new research into the
latest threats, trends and recommendations.
FireEye Mandiant Threat Intelligence documented more zero-days
exploited in 2019 than any of the previous three years. While not
every instance of zero-day exploitation can be attributed to a tracked
group, we noted that a wider range of tracked actors appear to have
gained access to these capabilities. Furthermore, we noted a
significant increase over time in the number of zero-days leveraged by
groups suspected to be customers of companies that supply offensive
cyber capabilities, as well as an increase in zero-days used against
targets in the Middle East, and/or by groups with suspected ties to
this region. Going forward, we are likely to see a greater variety of
actors using zero-days, especially as private vendors continue feeding
the demand for offensive cyber weapons.
Zero-Day Usage by Country and Group
Since late 2017, FireEye Mandiant Threat Intelligence noted a
significant increase in the number of zero-days leveraged by groups
that are known or suspected to be customers of private companies that
supply offensive cyber tools and services. Additionally, we observed
an increase in zero-days leveraged against targets in the Middle East,
and/or by groups with suspected ties to this region.
- A group described by researchers as Stealth
Falcon and FruityArmor is
an espionage group that has reportedly targeted
journalists and activists in the Middle East. In 2016, this
group used malware sold by NSO group, which leveraged three iOS
zero-days. From 2016 to 2019, this group used more zero-days than
any other group.
- The activity dubbed SandCat in open
sources, suspected to be linked to Uzbekistan
state intelligence, has been observed using zero-days in
operations against targets in the Middle East. This group may have
acquired their zero-days by purchasing malware from private
companies such as NSO group, as the zero-days used in SandCat
operations were also used in Stealth Falcon operations, and it is
unlikely that these distinct activity sets independently discovered
the same three zero-days.
- Throughout 2016 and 2017,
activity referred to in open sources as BlackOasis,
which also primarily targets entities in the Middle East and likely
acquired at least one zero-day in the past from private
company Gamma Group, demonstrated similarly frequent access to
We also noted examples of zero-day exploitation that have not been
attributed to tracked groups but that appear to have been leveraged in
tools provided by private offensive security companies, for instance:
- In 2019, a zero-day exploit in WhatsApp (CVE-2019-3568) was reportedly
used to distribute spyware developed by NSO group, an Israeli
- FireEye analyzed activity targeting a
Russian healthcare organization that leveraged a 2018 Adobe Flash
zero-day (CVE-2018-15982) that may be linked to leaked source code
of Hacking Team.
- Android zero-day vulnerability
CVE-2019-2215 was reportedly
being exploited in the wild in October 2019 by NSO Group
Zero-Day Exploitation by Major Cyber Powers
We have continued to see exploitation of zero days by espionage
groups of major cyber powers.
- According to researchers, the Chinese espionage group APT3
exploited CVE-2019-0703 in targeted
attacks in 2016.
- FireEye observed North Korean group
APT37 conduct a 2017 campaign that leveraged Adobe Flash
vulnerability CVE-2018-4878. This group has also demonstrated an
increased capacity to quickly exploit vulnerabilities shortly after
they have been disclosed.
- From December 2017 to January
2018, we observed multiple Chinese groups leveraging CVE-2018-0802
in a campaign targeting multiple industries throughout Europe,
Russia, Southeast Asia, and Taiwan. At least three out of six
samples were used before the patch for this vulnerability was
- In 2017, Russian groups APT28
and Turla leveraged multiple zero-days in Microsoft Office
In addition, we believe that some of the most dangerous state
sponsored intrusion sets are increasingly demonstrating the ability to
quickly exploit vulnerabilities that have been made public. In
multiple cases, groups linked to these countries have been able to
weaponize vulnerabilities and incorporate them into their operations,
aiming to take advantage of the window between disclosure and patch application.
Zero-Day Use by Financially Motivated Actors
Financially motivated groups have and continue to leverage
zero-days in their operations, though with less frequency than
In May 2019, we reported that FIN6 used a Windows server 2019
use-after-free zero-day (CVE-2019-0859) in a targeted intrusion in
February 2019. Some evidence suggests that the group may have used the
exploit since August 2018. While open sources have suggested that the
group potentially acquired the zero-day from criminal underground
we have not identified direct evidence linking this actor to this
exploit’s development or sale.
We surmise that access to zero-day capabilities is becoming
increasingly commodified based on the proportion of zero-days
exploited in the wild by suspected customers of private companies.
Possible reasons for this include:
- Private companies are likely creating and supplying a larger
proportion of zero-days than they have in the past, resulting in a
concentration of zero-day capabilities among highly resourced
- Private companies may be increasingly providing
offensive capabilities to groups with lower overall capability
and/or groups with less concern for operational security, which
makes it more likely that usage of zero-days will be observed.
It is likely that state groups will continue to support internal
exploit discovery and development; however, the availability of
zero-days through private companies may offer a more attractive option
than relying on domestic solutions or underground markets. As a
result, we expect that the number of adversaries demonstrating access
to these kinds of vulnerabilities will almost certainly increase and
will do so at a faster rate than the growth of their overall offensive
cyber capabilities—provided they have the ability and will to spend
the necessary funds.
Register today to hear FireEye Mandiant Threat Intelligence experts
discuss the latest in vulnerability
threats, trends and recommendations in our upcoming April 30 webinar.
Sourcing Note: Some vulnerabilities and zero-days were identified
based on FireEye research, Mandiant breach investigation findings,
and other technical collections. This paper also references
vulnerabilities and zero-days discussed in open sources including
Project Zero’s zero-day “In the Wild” Spreadsheet
. While we believe these sources are reliable as used in this
paper, we do not vouch for the complete findings of those sources.
Due to the ongoing discovery of past incidents, we expect that this
research will remain dynamic.