Updated Sep 5, 2023 - Technology

Why cybersecurity's software vulnerability crisis is year-round now

Illustration of a padlock with only zeros on it

Illustration: Sarah Grillo/Axios

A wave of newly discovered critical software vulnerabilities has been keeping cybersecurity teams working overtime this summer.

Why it matters: These security flaws, known as "zero days," need to be patched as soon as they're made public.

  • And in many cases, hackers have already exploited these flaws before they were discovered to steal data or roam a network without detection.

The big picture: The number of zero days discovered this summer has prompted some security experts to cheekily dub this period "hot zero-day summer."

  • But this phenomenon goes beyond summer: The number of zero-day vulnerabilities this year has already surpassed last year's totals, experts told Axios — leaving companies wide open for potential intrusions.

What they're saying: "What I think is different about this summer is that they're more impactful," Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative, told Axios.

  • "In years past, you might have had a zero day that hit one organization or hit a very specific industry, for example," he added. "This summer it seems to be much more widespread."

By the numbers: Companies and researchers have uncovered 57 zero-day vulnerabilities so far in 2023, according to Trend Micro's data.

  • That's surpassed the 52 total detected in 2022.

State of play: Zero days have hit a wide range of appliance and online tools this summer, including a popular enterprise file-transfer tool, products monitoring network traffic, email security programs and even a printer management tool.

Threat level: Zero days are far less common than phishing scams or business email compromise, where an attacker pretends to be a close business contact to convince the target to send them money.

  • But if exploited, zero-day vulnerabilities can cause damage beyond financial theft.
  • For example, more than 1,000 organizations have faced a data breach so far this year related to a zero-day vulnerability in the MOVEit file-transfer program.

Between the lines: Traditionally, only nation-state hacking teams would use sophisticated zero days to break into companies as part of their espionage campaigns.

  • Now, more cybercriminals are starting to catch on to the allure of zero days — in part because they've become easier to access on the cybercriminal underground, Childs said.

Zoom out: China-backed hacking groups are also leaning more on zero days in their attacks, Sandra Joyce, executive vice president and head of global intelligence at Google Cloud's Mandiant, told Axios.

  • One such group relied on a reported zero-day vulnerability in one of Barracuda Networks' email security tools to target U.S. and foreign government entities, as well as other tech providers, according to recent Mandiant research.
  • Nation-states have long bought zero-day vulnerabilities and exploits from hackers for espionage operations against their adversaries.
  • But some nations have become reckless with their zero-day hacks and espionage operations, Joyce said.
  • "When you're targeting wide swaths of companies and you're exposing them to these vulnerabilities, that's reckless," she said. "You're exposing companies to more vulnerabilities, and sooner or later, that's not good for any of us."

Yes, but: The rise in zero days is also partly because defenders are getting better at identifying them — which could be spurring the increase in recorded numbers, John Hammond, senior security researcher at Huntress, told Axios.

  • "At least [now] we're tracking it and have our finger on the pulse," he said.

Be smart: The best thing organizations can do is develop a stronger, faster system for patching their networks whenever a zero day is publicly unveiled, Childs said.

  • "Don't tremble in your bed at night; come out of your closet, it's fine," Childs said. "Just patch, update, do reasonable things, and you should be OK."

Sign up for Axios' cybersecurity newsletter Codebook here

Go deeper