Negative-day vulnerabilities are now routine
It's a long established trend that attackers are getting much faster to exploit newly published vulnerabilities: according to Rapid7 Vulnerability Intelligence Report for 2021, the average time to exploitation is steadily decreasing, from 42 days in 2020 down to just 12 days in 2021.
This reduction of "time to known exploitation" or TTKE is mirrored by an increased effort by vendors to reduce their overall time to fix known bugs, as reported by Google Project Zero here.
Nevertheless, three recent incidents show that even timely patching is not enough, as threat actors seem to be far ahead of zero-day researchers, responsible disclosure timelines and vendor patching efforts: vulnerabilities weaponized before being disclosed or patched seem to be getting more frequent.
Microsoft Exchange ProxyNotShell
Take Microsoft Exchange and the actively exploited zero-days known as ProxyNotShell (CVE-2022-41040 and CVE-2022-41082). These bugs were published on Sep 30th, 2022 and were already actively exploited in the wild at the time of disclosure. Vietnamese cybersecurity firm GTSC initially reported the vulnerabilities through Trend Micro’s Zero Day Initiative (ZDI) but, seeing more evidence of exploitation against other targets, decided to publish information about the flaws along with indicators of compromise and mitigation guidance to help organizations defend against attacks. According to GTSC, its Security Operations Center team discovered the exploitation in August 2022 during its "security monitoring & incident response services."
In late September it seems the vulnerabilities were being massively exploited by ransomware operators seeking access to victims' networks. By late November, the attackers perfected the exploits so that even mitigations suggested by Microsoft could not thwart the attacks. It came as no surprise that on Dec 2nd, 2022 Rackspace hosted Exchange suffered a catastrophic outage that left their customers permanently without email access (recovery still ongoing as of January). The culprit: a ransomware operator leveraging the ProxyNotShell exploits.
Fortinet authentication bypass
Another example is Fortinet's authentication bypass vulnerability in Fortinet FortiOS, FortiProxy and FortiSwitch Manager (CVE-2022-40684), essentially allowing an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.
This bug was disclosed on Oct 6th, 2022 by Fortinet, and on the same date the Cybersecurity & Infrastructure Agency (CISA) was notified as well. CISA proceeded to add the vulnerability to its Known exploited vulnerabilities catalog on Oct 11th, indicating that the addition was based on Fortinet's knowledge about ongoing exploitation. The same is confirmed by other vendor's telemetry from NGFW devices: CVE-2022-40684 was widely exploited from October and onwards.
Fortinet SSL-VPN vulnerability
A much more serious issue occurred with Fortinet's SSL-VPN (CVE-2022-42475) vulnerability, disclosed by the vendor on Dec 12th, 2022, again at a time when it was apparently already exploited in the wild, particularly against governmental or government-related targets. This appears to be essentially a highly targeted attack against Fortinet flagship product, performed by a threat actor with highly specialized and deep understanding of FortiOS and the underlying hardware.
After obtaining remote access by exploiting the vulnerability, the attackers seem to use custom implants (replacing default FortiOS libraries) to gain advanced capabilities, such as log rewriting in order to stay hidden within the network.
The common theme here is: publicly exposed service. Whenever there is an internet facing server or daemon, say, RDP, HTTPS, Exchange, SSL VPN or other typical access points, attackers will want to discover and weaponize vulnerabilities as quickly as possible.
These three recent examples show that malicious actors are highly motivated and are in fact getting ahead of threat researchers and vendors' efforts: when patches are released, it's often already too late.