How quickly do hackers exploit vulnerabilities? The answer may disturb you


Google’s Mandiant has sounded the alarm about how quickly cybercriminals start exploiting vulnerabilities. In 70% of cases, it’s a zero-day. For the remainder, cybercriminals create exploits in just five days on average, meaning a large chunk of them are exploited on the disclosure day.

Hackers are working faster than ever and it’s putting big pressure on network defenders.

Mandiant researchers analyzed 138 vulnerabilities disclosed in 2023. How quickly were they exploited in the wild?

ADVERTISEMENT

“The majority (97) of these vulnerabilities were exploited as zero-days,” the report reads.

That means cybercrooks found them first before any patches were made.

Forty-one vulnerabilities were exploited as n-days, meaning that exploits appeared after patches were available. In 2023, malicious actors demonstrated breakneck speed to weaponize them.

Time-to-exploit, a metric for defining the average time taken to exploit a vulnerability, has shrunk to five days from 32 days in 2022.

Attackers used 12% of n-day vulnerabilities within a day, 29% within a week, and 56% within a month.

“Patching prioritization is increasingly difficult as n-days are exploited more quickly and in a greater variety of products,” the Mandiant researchers said.

“Just five to six years ago, we observed an average time-to-exploit of 63 days.”

ADVERTISEMENT

Surprisingly, having public exploits doesn't always mean faster real-world attacks. For vulnerabilities that had exploits released before their first known exploitation, the median time from disclosure to exploitation was 43 days. For other bugs that had exploits developed after the first exploitation, the median timeline from disclosure to exploitation was 23 days.

Hackers, apparently, are focusing on exploitation value and difficulty. Often, widely reported vulnerabilities with known proof of concepts are not exploited by malicious threat actors.

The data confirms that cybercriminals increasingly rely on zero-days, with a proportion of 70% to 30%. In previous years, the proportion was closer to 60:40. This signals an increase in discovered zero-day vulnerabilities rather than a drop in n-day usage.

Mandiant says that its numbers are “conservative estimates,” as they rely on the first reported exploitation of a bug. In reality, the reports lag, and first exploitation dates are frequently not publicly disclosed or given vague timeframes. Threat actors are likely to exploit vulnerabilities undiscovered.

Microsoft, Apple, and Google remain the top targets, but attackers are branching out. In 2023, 56 vendors were affected, compared with 44 in 2022. Most vendors only had one vulnerability exploited.

Mandiant warns that delaying security updates and exposing insufficiently protected attack surfaces heightens the chance of successful attacks. They expect exploitation timelines to continue to shrink while affecting a larger span of targets.