These attacks, called zero days, are typically pulled off by extremely sophisticated hackers such as those employed by government intelligence agencies and top-end private companies like the controversial spyware vendor NSO Group. They’re more likely to give hackers long-lasting access to the technology they exploit and the ability to do far more damage.
Ideally, such hacks would take so much time, effort and expertise that only the cream of the crop could find and use them. But that’s rarely the case, Google found. The report underscores the way cyberattackers continue to have an advantage over defenders — even at the very top of the hacking food chain.
- “It’s not as hard as it should be,” Maddie Stone, the Google researcher who developed the report, told me. “These should take so much effort to develop and cost so much money that they require years and years to develop, and that’s not what we’re seeing.”
The annual report looks at cyberattacks conducted using “zero day” vulnerabilities. This is when highly sophisticated hackers are able to discover a vulnerability – and exploit it – before the developers are aware of the vulnerability (so they've had zero days to patch against it).
The report focuses specifically on zero days that researchers believe nefarious hackers have exploited rather than those that were merely discovered by the good guys. Because the zero day hacks are so comparatively easy to develop, hackers aren't as fearful of researchers discovering and protecting against them — so they use them more freely and cause more damage.
- Out of 58 exploited zero days that Google identified last year, all but two of them were comparatively easy to develop — they were essentially based on well-known security gaps in products that hackers frequently exploit.
- “With two exceptions … everything we saw was pretty ‘meh’ or standard,” the report states.
- The two totally novel zero days were both exploited with tools developed by NSO, which has drawn international condemnation because government clients used its tools to target journalists, dissidents and political opponents.
To be clear: Zero day hacks remain exceedingly rare compared with run-of-the-mill hacks, which use vulnerabilities that people and organizations know about but simply haven’t updated their technology to guard against.
But they get outsize attention from cyberthreat researchers and media because they’re used against some of the most high-profile targets.
“My mom and dad don’t need to worry about being attacked with zero days, but when politicians, journalists and human rights activists are targeted, that affects us in a very large way,” Stone told me. “We need to care about them because of the societal impact.”
No one's sure quite how bad the zero day problem is.
Researchers simply don't know about the zero day bugs that they haven't discovered yet. And the people who do know about them — nefarious hackers — aren't sharing information.
Stone estimated that the 58 zero days highlighted in this year’s Project Zero report represents less than 20 percent of the total number of zero days that were exploited in 2021, with the rest going undetected.
“I’d probably hedge closer to 10 percent,” she said. “There’s a huge number of zero days that no one is detecting.”
There were more exploited zero days detected last year than in any previous year — more than double the previous record of 28 exploited zero days detected in 2015.
But that probably is because more zero days are getting discovered and reported rather than that there are more being exploited, the report states.
More details from Project Zero via Recorded Future’s Allan Liska:
Great report from @maddiestone & the team at Project Zero, which confirms research @RecordedFuture has been reporting, the number of reported 0-Days increased dramatically in 2021. Maddie & team have unique insight, that make this a must read. https://t.co/gZfgBtaO2d pic.twitter.com/VaxGAAnjnG— Allan “Ransomware Sommelier🍷” Liska (@uuallan) April 19, 2022
One big difference in the number of zero day reports came from tech platforms that began specifying whether the previously undisclosed bugs they highlighted had been exploited by hackers or not. Such reports accounted for 12 of the 58 zero days reported — seven from Apple products and five from Google’s Android division.
And yet: It's likely that many software vendors are aware of zero days that have been exploited on their platforms that they haven't publicly disclosed. One policy change Project Zero is calling for is a pledge from vendors to publicly disclose such bugs.
European lawmakers launched a committee to investigate Pegasus and other spyware
Members of the European Parliament’s committee of inquiry want to investigate NSO CEO Shalev Hulio and national governments that have used the company’s Pegasus spyware, EUobserver’s Nikolaj Nielsen reports. The committee is looking into whether those government’s use of the spyware broke European laws or violated citizens’ rights.
The committee's investigation could have major consequences for NSO because its tools are used across Europe. “Almost all governments in Europe are using our tools,” Hulio recently told the New Yorker. At least three E.U. member states have admitted to using Pegasus.
The committee began working hours after researchers revealed that dozens of politicians and activists from Spain’s autonomous northeastern Catalonia region were targeted with Pegasus. Even Catalan members of the European Parliament were targeted, Citizen Lab said, noting it suspected that Spain was behind the hacks.
Catalan politicians plan to fight back:
- They plan to launch an international legal offensive to put pressure on NSO and the Spanish government, El Pais reported.
- The targeting could also give a push to a long-running investigation into Pegasus by a Barcelona judge, the outlet reported.
- Catalonia President Pere Aragonès, who was hacked with Pegasus before he took office, said he would ask police to investigate. “Normal political relations [with Spain’s government] cannot be restored until they take responsibility,” he said, according to Reuters. Spain has denied illegally using Pegasus, but officials didn’t say if authorities had access to Pegasus or if a court authorized spying with the tool.
They won’t get investigations from the European Union's executive branch, EUobserver reported. The European Commission won’t separately investigate Pegasus misuse by European countries, a spokesperson for the commission told reporters. It’s “really something for the national authorities,” the spokesperson said.
A former eBay executive to plead guilty to cyberstalking
Former eBay security director Jim Baugh plans to admit that he ran a bizarre 2019 cyberstalking campaign that targeted a couple critical of the e-commerce company, Bloomberg News’s Janelle Lawrence reports.
The plea comes after five other former employees have admitted to taking part in the campaign to intimidate bloggers Ina and David Steiner. Another ex-executive, former global resiliency director David Harville, is set to go on trial next month.
The couple drew the ire of top eBay executives after they wrote about litigation involving the company, the Justice Department said.
The harassments was intense: “At Baugh’s direction, the couple received anonymous deliveries including a preserved fetal pig, a bloody pig mask, a funeral wreath and a book on surviving the loss of a spouse,” Lawrence writes. “Baugh also secretly visited the couple’s suburban home with plans to install a GPS tracking device on their car, according to federal prosecutors.”
Putin’s crackdown ended Russian tech firms’ global ambitions
In the years leading up to Russia’s invasion of Ukraine, the Kremlin imposed an onslaught of laws, regulations and back-channel demands on major Russian tech companies, Joseph Menn reports. As a result, Russian anti-virus giant Kaspersky Lab, social network VKontakte and search engine Yandex have been reduced to shadows of what they could have been.
“This has been a total disaster for the Russian economy, and the tech industry was adding a lot of value,” said Esther Dyson, an early American investor in Yandex who left its board shortly after Russia invaded Ukraine. “Even before they started waging war on Ukraine, they were waging war on the truth.”
Securing the ballot
- The Joint Service Academy Cybersecurity Summit kicks off at 10:30 a.m. today.
- Acting Deputy Assistant Secretary of State for International Cyberspace Security Michele Markoff speaks at an event hosted by American University’s Washington College of Law’s Tech, Law and Security Program today at 3 p.m.
- The Cyber Threat Alliance and Radware host an event on cyberthreats and trends on Thursday at 11 a.m.
- The Atlantic Council hosts an event on recently discovered malware targeting industrial control systems on Friday at 9:30 a.m.
Secure log off
Thanks for reading. See you tomorrow.