The shift to incident response

Rapid7 researchers tracked more than 60 vulnerabilities that saw widespread exploitation in 2023 and the beginning of this year. Of those, more than half were new flaws discovered during this period; of these new flaws, 53% were zero-days when initially found.

It’s worth noting that Rapid7 researchers consider a vulnerability to see mass or widespread exploitation when it is used in real-world attacks to target many organizations across different industry verticals and geolocations. The researchers note that they did not include zero-day flaws for which only a proof-of-concept exploit was published on the internet in their tracking.

They also didn’t count exploitation attempts against the thousands of honeypots put up by security companies around the world as actual attacks because doing so would skew the perception of how widespread a threat is, potentially distracting organizations from prioritizing where to direct their limited resources.

“Organizations should expect to conduct incident response investigations that look for indicators of compromise (IOCs) and post-exploitation activity during widespread threat events in addition to activating emergency patching protocols,” the researchers advised.

Shorter exploit cycles, more security strain

The number of zero-day exploits has exploded since 2021 and the type of threat actors using them is not limited to state-sponsored cyberespionage groups, but also cybercrime gangs pushing ransomware and crypto mining malware. In 2020, n-day exploits outnumbered 0-days 3 to 1; by 2021, 0-days accounted for over half of widespread attacks, never to return back to previous levels.

“Since 2021, Rapid7 researchers have tracked the time between when vulnerabilities become known to the public and when they are (reliably) reported as exploited in the wild,” the researchers said. “This window, which we call ‘Time to Known Exploitation,’ or TTKE, has narrowed considerably in the past three years, largely as a result of prevalent zero-day attacks.”