Report an Incident

1-800-270-9034

Takeaways from the Google Report on Zero-Days

Google issued a report this week about the proliferation of commercial spyware tools and the link to zero-days in their products.

Google issued a report this week about the proliferation of commercial spyware tools and the link to zero-days in their products.

In 2023, 20 of the 25 zero-days in Google products were exploited in the wild and attributed to commercial spyware vendors. This revelation highlights two important issues.

The first is the focus of the Google report. Commercial spyware is fueling the zero-day market. Throughout the history of cybersecurity, an underground market has existed for vulnerabilities. As researchers discover these vulnerabilities, they can sell them via bug bounty programs or to access brokers. In this case, researchers are selling them to either access brokers or spyware companies directly. These vulnerabilities can be chained together or paired with stolen credentials to provide spyware companies the access they need.

The second issue is more relevant to the wider industry. Zero-days are increasingly harder to find and are increasing in financial value. This limits the threat actors who can take advantage of them to the ones with the most resources. Typically, this would mean nation-state actors. However, they can also be utilized by well-resourced ransomware groups, particularly those who would target very large companies. It is important to point out that a majority of businesses are not the target of these groups.

There is a considerable amount of noise generated by cyber threat intelligence and the discovery of new vulnerabilities. Understanding which vulnerabilities to prioritize is a challenge, even for well-resourced teams.

Organizations should consider the following:

    • Is the group exploiting this vulnerability likely to target my organization?
    • If this vulnerability was exploited, what cybersecurity risk mitigations do I have in place, such as managed detection and response (MDR), data loss prevention (DLP), etc.?
    • Are there other vulnerabilities being exploited by threat actors that are relevant to me that I should patch first?

Insurance companies should ask similar questions.

    • Is this threat actor likely to target my clients?
    • Have I helped my clients prioritize more relevant vulnerabilities such as those used in ransomware attacks?
    • Do my clients have other cybersecurity risk mitigations in place and fast access to a response team?

This report draws attention to the concerning issue of commercial spyware and also provides a strong case for organizations to consider attribution and threat intelligence when prioritizing vulnerabilities.

Share the Article

Recent Articles

New SIM Swapping Attacks

According to new research, eSIM cards are being hijacked for cyber attacks. eSIM cards are remotely programmable chips that are stored within phones and other wearable devices.

Read More »
March 15, 2024
Scroll to Top

This website uses cookies to improve your browsing experience. By clicking accept, you consent to the use of cookies. To learn more about the cookies we use, visit our Privacy & Cookie Policy.

Accept Cookies

Certifications and Credentials

  • AWS Certified Solutions Architect – Associate
  • AWS Cloud Practitioner
  • Cellebrite and Paraben Certified Mobile Examiner
  • Cellebrite Certified Mobile Examiner (CCME)
  • Cellebrite Certified Physical Analyst and Certified Operator
  • Certified Access Data Forensic Analyst
  • Certified E-Discovery Specialist (ACEDS)
  • Certified Forensic Computer Examiner (CFCE)
  • Certified Forensic Examiner-Access Data (ACE)
  • Certified Hard Drive Repair Technician
  • Certified in SANS Windows Forensic Analysis (GCFE)
  • Certified Information Security Manager (Certified by ISACA)
  • Certified Information Systems Security Professional (CISSP)
  • Certified Mac Forensics Analyst
  • Certified Public Accountant
  • Chief Information Security Officer (Certified by EC-Council)
  • Citrix Certified Integration Architect
  • CompTIA A+
  • AWS CompTIA Cybersecurity Analyst (CySA+)
  • CompTIA Linux+
  • CompTIA Linux+ / Linux Professional Institute Certified Linux Administrator (LPIC-1)
  • CompTIA Pentest+
  • CompTIA Cloud+
  • CompTIA Security+
  • Cyber Forensics and Incident Response certificate – Carnegie Mellon
  • Department of Defense Cyber Investigations Training Academy, Computer Forensic Examiner
  • EC-Council Computer Hacking Forensic Investigator Certification (CHFI)
  • EC-Council Computer Hacking Forensic Investigator Certification (CHFI)
  • EnCase Certified Examiner (EnCE)
  • FBI Certified Crisis Management Coordinator
  • GIAC Certified Forensic Analyst (GCFA)
  • GIAC Certified Forensic Examiner (GCFE)
  • GIAC Advanced Smartphone Forensics (GASF)
  • GIAC Information Security Fundamentals
  • GIAC Security Essentials (GSEC)
  • International Association of Computer Investigation Specialists (IACIS)
  • Licensed Member, California Bar Association
  • Magnet Certified Forensics Examiner (MCFE)
  • Microsoft Certified Professional (MCP)
  • Microsoft Certified Systems Engineer
  • Professional – Information Systems Security Architecture Professional (CISSP-ISSAP)
  • Professional – Information Systems Security Management Professional (CISSP-ISSMP)
  • Senior Professional Human Resources Certification
  • VMware Certified Professional

Report a New Incident

Your incident report has been submitted.