Surge in exploits of zero-day vulnerabilities is ‘new normal’ warns Five Eyes alliance

The cybersecurity agencies of the Five Eyes intelligence alliance (the U.S., U.K., Australia, Canada and New Zealand) issued a warning on Tuesday that hackers were increasingly exploiting zero-day vulnerabilities to access their targets’ networks.

It marks a significant departure from similar advisories issued in 2022 and 2021, when the agencies warned that malicious cyber actors were exploiting older software vulnerabilities more frequently than recently disclosed ones.

In a co-authored advisory, the agencies list the top 15 most routinely exploited vulnerabilities of 2023, with CVE-2023-3519 — an issue affecting Citrix’s networking product NetScalers — being the most widely used.

Reports around the time the NetScalers bug was patched warned that an adversary, with what Mandiant believed may have a China-nexus, used the flaw to compromise thousands of devices in an automated fashion, placing webshells on them to gain persistent access.

Other widely exploited vulnerabilities included a critical vulnerability affecting Cisco routers, another in Fortinet VPN equipment and one affecting the MOVEit file transfer tool that was widely exploited by the Clop ransomware gang.

The advisory notes that, for the first time since the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and partners began sharing this annual list, the majority of these vulnerabilities contained on it were initially exploited as zero-days. 

Although the advisory only covers last year, the trend of zero-day exploitation has continued into 2024 according to Britain’s National Cyber Security Centre (NCSC), marking “a shift from 2022 when less than half of the top list was initially exploited as zero-day vulnerabilities.”

Ollie Whitehouse, the NCSC’s chief technology officer, warned: “More routine initial exploitation of zero-day vulnerabilities represents the new normal which should concern end-user organizations and vendors alike as malicious actors seek to infiltrate networks.

“To reduce the risk of compromise, it is vital all organizations stay on the front foot by applying patches promptly and insisting upon secure-by-design products in the technology marketplace,” said Whitehouse.