Defenders have less time than ever to patch their systems and prepare for exploits against software vulnerabilities.
Research from security vendor Rapid7, which examined attacks on 50 of the most notable vulnerabilities over the 2021 calendar year, found that compared to 2020, the average time between a vulnerability's public release to its first known exploitation dropped by 71%. The list of 50 vulnerabilities included notorious threats such as the ProxyLogon flaws in Microsoft Exchange Server and the recent Log4Shell bug.
On average, the Rapid7 team found, it took attackers roughly 12 days to turn a vulnerability disclosure into a working exploit. By comparison, the 2020 calendar year saw a turnaround of 42 days on average.
Zero-days the deciding factor
According to the Rapid7 2021 Vulnerability Intelligence Report, this meteoric drop in "time to known exploitation," or TTKE, isn't necessarily because attackers are getting better at turning around vulnerability disclosures into working exploits. Rather, the researchers found that more cybercriminals were using zero-day exploits.
The research found that 43 of the 50 vulnerabilities were exploited in the wild, and 50% of the exploits they analyzed were the result of previously undisclosed flaws. Additionally, 58% of the bugs were turned into exploits less than two weeks from their public disclosure.
"The rise in widespread zero-day attacks in 2021 was the main driver of reduced time to exploitation; shorter TTKE has also meant that organizations' incident response and emergency patch procedures were put to the test, and any security or IT team who didn't have these protocols in place was at a considerable disadvantage," the report said.
By comparison, 2020 saw around 30% of bugs exploited within one week, and 32% were turned into exploits in under two weeks.
Caitlin Condon, vulnerability research manager at Rapid7 and co-author of the report, said that the sharp rise in zero-day attacks is particularly concerning as it means administrators are more likely than ever to be served with exploits and attacks with no warning.
"Arguably more alarming than the decrease in time to known exploitation by itself is the fact that more than half of the vulnerabilities in our widespread threat category began with a zero-day exploit," Condon told SearchSecurity. "That's a major change from the previous year, where only one of the vulnerabilities in our widespread threat category arose from a zero-day exploit."
The decrease in exploit time was one of multiple findings from the report that should concern network defenders. In addition to the lower exploit time, the team noticed that code injection attacks, ransomware heists and attacks on open source libraries as part of supply chain attacks were all on the rise over the calendar year.
In addition, the rise in attacks came as many companies were operating with fewer staff than previous years.
"The threat landscape in 2021 brought historical security lessons to bear in novel, pressing ways even as the lingering pall of the COVID-19 pandemic drove staffing and budget constraints across organizations of all sizes," Rapid7 said in its report.
"A rise in attack complexity as well as severity further compounded the challenges security teams faced in 2021."