Recent disclosures from Microsoft highlight a worrying trend: nation-state and criminal actors are increasingly capitalizing on publicly-identified zero-day vulnerabilities to infiltrate targeted environments. In its detailed Digital Defense Report, which spans 114 pages, Microsoft observes that the time lag between the announcement of a vulnerability and its exploitation has decreased alarmingly, underscoring the critical need for organizations to implement timely patches for these vulnerabilities.
This observation aligns with a previous advisory issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in April 2022, which found that malicious entities are aggressively exploiting newly disclosed software flaws against diverse targets around the globe.
Microsoft’s findings indicate that, on average, it takes only 14 days for an exploit to emerge following the public disclosure of a vulnerability. Initially limited in scope, zero-day attacks are quickly adopted by various threat actors, leading to widespread probing efforts prior to the release of patches. Furthermore, the report points to Chinese state-sponsored groups as being particularly adept at identifying and developing zero-day exploits.
This trend is further complicated by new regulations from the Cyberspace Administration of China (CAC), which mandates that security flaws must be reported to the government before being disclosed to product developers. Microsoft warns that such regulations could enable government-aligned entities to amass and weaponize these vulnerabilities, enhancing the use of zero-days for espionage geared toward bolstering China’s economic and military stance.
Notable vulnerabilities exploited by Chinese hackers before being adopted by other adversarial groups include significant flaws such as CVE-2021-35211, a remote code execution vulnerability in SolarWinds software, and CVE-2021-40539, an authentication bypass flaw in Zoho’s ManageEngine platform. Such vulnerabilities are ranked with critical CVSS scores, highlighting their potential impact when left unaddressed.
The findings coincide with recent disclosures from CISA, which listed vulnerabilities exploited by China-based actors since 2020 aimed at stealing intellectual property and gaining access to delicate networks. Microsoft emphasizes that zero-day vulnerabilities present a highly effective vector for initial exploitation, and once publicly disclosed, they can be rapidly repurposed by both nation-state and criminal actors, posing a significant risk to organizations globally.