Be Jolly, But Watch Out For Zero and N-day Follies!


Season’s greetings! While this is the season for goodwill, it would seem that cybercriminals also have good reason to be jolly. In 2023, cybercriminals continued to feast on vulnerabilities which led to zero-day exploits (attacks exploiting a previously unknown vulnerability before any available remediation) and N-day attacks (a compromise achieved through exploiting a vulnerability, despite a patch being available). This issue of CyberSense reflects on the growing challenge of zero-day exploits and N-day attacks, and what we can do to manage the threat.


In 2023, there was a bevy of vulnerabilities that were exploited by threat actors. In particular, the number of cyber-attacks stemming from zero-day exploits surged in 2023, with about 70 zero-day exploits disclosed between January to September 2023, a 40% increase from the whole of 2022 (see Figure 1 for the number of zero-day exploits disclosed since 2014). 

Figure 1: Number of zero-day exploits disclosed since 2014. [Source: Figures merged from Mandiant Blog and Infosecurity Magazine]

Among threat actors, cybercriminal groups were foremost in exploiting zero-day vulnerabilities in 2023. In the first half of the year, Cl0p ransomware group conducted two high-profile cyber-attacks exploiting zero-day vulnerabilities in file transfer systems.[1] In February 2023, Cl0p announced that they exfiltrated user data from organisations using Fortra’s GoAnywhere Managed File Transfer (MFT) system. The group allegedly exploited a zero-day vulnerability to breach GoAnywhere, and subsequently, its users, affecting some 130 organisations worldwide. The second attack took place in May 2023, where Cl0p exploited another zero-day vulnerability to breach Progress Software’s MOVEit secure file transfer system. The impact here was much greater, with more than 2,500 organisations falling victim. In both attacks, government agencies, along with some of the largest organisations in the world – from industries including the financial, healthcare, and education – were impacted, with data belonging to over 66 million individuals stolen. Although the file transfer companies released patches relatively swiftly, many organisations were still compromised through the vulnerabilities subsequently, in what are known as N-day attacks.


While zero-days grab the headlines, N-day attacks are an equally serious problem. In Cl0p’s “GoAnywhere” cyber-attack in February 2023, cybersecurity analysts noted another 60 organisations falling victim to the same vulnerability in March 2023, despite a patch being made available weeks earlier.

Such attacks also dominated during the second half of the year. While threat actors were observed to have been exploiting the “Citrix Bleed” zero-day vulnerability affecting Citrix NetScaler application delivery controllers (ADC) and Gateway Appliances since August 2023, the number of reported attacks increased after the vulnerability and patch were disclosed by Citrix in early-October 2023. Government entities, technology corporations, professional services, and healthcare companies were reportedly targeted by the LockBit and Medusa ransomware groups via the vulnerability in late-October and November 2023. Many large corporations such as Boeing, Allen & Overy, ICBC, DP World, and Toyota Financial Services were reportedly impacted in this spate of ransomware attacks.


The ongoing exploitation of the vulnerability highlights the problem of N-day attacks – despite the awareness of the vulnerability and available remediation, organisations are lagging in their response time to implement crucial patches. According to cybersecurity researchers, the average time taken by organisations to implement crucial software patches is 69 days, and organisations can take anywhere between 30 days to over 200 days to patch a vulnerability. Reasons for the delay vary from potential financial losses when systems are taken offline for patching, to sorting out compatibility issues between legacy systems with the updated software, to the lack of automated patch management systems to keep up with the volume and frequency of patches released. Regardless of these legitimate reasons, the lag in response time to implement crucial patches present opportunities for threat actors to target vulnerable systems.

Furthermore, even if knowledge of the zero-day vulnerability was not widespread or publicised, the release of patches by software firms and product manufacturers can sometimes have unintended consequences. Threat actors will generally reverse-engineer patches to understand the original vulnerability – this is especially so for popular products – and scan for systems within organisations that have not implemented remediation. According to cybersecurity researchers, exploitation of a known vulnerability is most likely to occur within the first month following the disclosure of the initial patch, and such exploitation could continue even after a year. Threat actors will very likely continue conducting N-day attacks by exploiting known vulnerabilities, as compared to expending time and effort to discover new zero-days. 


How do we reduce and manage the risk of zero-day exploits and N-day attacks?

  • Software updates and patch management: Regularly update software and implement patches.
  • Network segmentation: Segment your network to limit lateral movement in case of a breach.
  • Endpoint protection: Use advanced endpoint protection solutions that include features like heuristic analysis, behaviour monitoring, and machine learning to detect and block malicious activity.
  • Network and application firewalls: Use firewalls to control and monitor incoming and outgoing network traffic and provide an additional layer of protection by filtering.
  • Intrusion detection and prevention systems: Implement intrusion detection and prevention systems to monitor network or malicious activities or security policy violations. These systems can help detect and prevent attacks in real-time.
  • Vulnerability scanning and assessment: Regularly conduct vulnerability assessments to identify potential weaknesses in your systems and networks.
  • Incident response plan: Develop and regularly update an incident response plan to ensure that your team knows how to respond quickly and effectively in the event of a security incident, including zero-day or N-day attacks.
  • Least privilege principle: Implement the principle of least privilege to restrict use of system accounts to limit the potential damage an attacker can cause.
  • Security awareness training: Educate employees about cybersecurity best practices, including recognising phishing attempts, social engineering, and the importance of not clicking on suspicious links.
  • Multi-layered defence: Implement a layered approach to inspect and block malicious traffic on all potential attack surfaces (see Figure 2 for cybersecurity firm Trend Micro’s approach towards protecting against N-day exploits).

Figure 2: Example of a multi-layered approach to protect against N-day attacks. [Source: Trend Micro]

Keeping yourselves updated on the latest vulnerabilities is key to preventing N-day attacks. Companies and individuals are strongly encouraged to adopt remediation measures as soon as possible to avoid falling victim to such attacks. For more information on the latest vulnerabilities and information on how to protect your systems, please refer to CSA’s Alerts & Advisories. After all, no organisation would want their holidays to be ruined by cybercriminals!

Happy holidays to one and all from CSA! 

[1] Readers may refer to the August 2023 issue of CyberSense titled “Hijacking Data Highways – CL0P Ransomware’s Attacks on Secure File Transfer Tools” for more information on the high-profile attacks exploiting zero-day vulnerabilities.