The IT Nerd

New data published by VulnCheck finds a total of 768 CVEs were publicly reported as exploited in the wild, 20% higher than the record high of 2023 (639 CVEs). 23.6% of these vulnerabilities were zero days, down from 26.8% in 2023. Half of CVEs were reported as exploited within 192 days of publicly disclosure in 2024. “Despite the buzz around zero-day exploitation, these findings indicate that exploitation can happen at any time in a vulnerability’s lifecycle,” the researchers noted.

Evan Dornbush:

I’m a huge fan of VulnCheck’s overall approach. Visibility into potential risk is critical for the modern C-suite. While, as Patrick’s blog post states, exploitation can happen at any time, patch management is essentially a solved problem with tools and services providing awareness and assistance. Two years in a row we see that a quarter of all exploits occur when only the attackers were aware of the vulnerability. As a community, we have to find ways to get that number lower. So long as attackers are the only or majority possessors of vulnerability data and exploit tools, they will maintain their advantage over the defenders.

Lawrence Pingree, VP, Dispersive follows with this:

The primary reason for the shift to more zero days and an increase in vulnerabilities is fully expected as a nexus of trends in threat actor behavior, including:

1. A rotation to automation of the discovery of vulnerabilities with AI.
2. The use of behavioral systems to address and live-patch systems ahead of vulnerability patching – forcing threat actors to lesser-known techniques.
3. Penetration of more targeted applications that are directed more at the supply chains – which tend to be weaker and harder to patch – such as firmware and centralized but exposed application services (embedded in SaaS and IoT/OT).

I would spend some time reading this report as it will guide you in terms of what to focus on so that you can keep your environment as safe as possible.

Since May, VulnCheck has observed hackers on Twitter and GitHub pretending to be cybersecurity researchers from ‘High Sierra Cyber Security’ and publishing fake PoC exploits for zero-day flaws in software like Chrome, Discord, Signal, WhatsApp, and Microsoft Exchange that infect Windows and Linux with malware.

Impersonators promote the GitHub repositories on Twitter and social media accounts that appear legitimate, with the users impersonating real security researchers from Rapid7, and other security firms, even using their real headshots.

In all cases, the malicious repositories host a Python script that acts as a malware downloader dropping a ZIP archive from an external URL to the legit cyber researcher’s computer.

While the success of this campaign is still unknown, VulnCheck notes that the threat actors are persistent, creating new accounts and repositories when the existing ones are reported and removed.

Avkash Kathiriya, SVP of Research and Innovation, Cyware had this to say:

   “Researchers, like the rest of us, need to take zero trust seriously. It’s worth repeating these security 101 tenets: Don’t download questionable files from GitHub. Don’t install any sample malware in a system that is not isolated. Don’t trust what you see on Twitter. If you spend all day researching threats and scam techniques, don’t be surprised when you become the target.”

This advice can be boiled down to safe computing 101. Everyone needs to follow this advice to ensure that we don’t get pwned by a threat actor. And that includes defenders who are trying to get ahead of threat actors.