Cybersecurity firm FireEye has seen as an increase in zero-day exploitations in 2019 than the previous three years in the Middle East.
Speaking to TechRadar Middle East, Alister Shepherd, Director for Middle East and Africa at Mandiant, a unit of FireEye, said that there are more private security companies investing a large amount of money, apart from governments such as state-sponsored actors, to develop offensive cyber capabilities and services to make additional income.
As a wider range of actors appears to have gained access to these capabilities, he said that there is going to be a greater variety of actors using zero-days, especially as private vendors continue feeding the demand for offensive cyber weapons.
“Unsophisticated threat actors have been able to buy malicious tools from the dark web for some time – you can buy access to a network and then buy the ransomware, and you just take the risk to deploy it. We’re now seeing this being mirrored at a higher level, as Governments who have not developed their own capability, or who wish to extend their capability, can now buy off the shelf with sophisticated capabilities,” he said.
According to industry reports, espionage groups such as Stealth Falcon and FruityArmor have targeted journalists and activists in the Middle East, between 2016 and 2019, by buying malware sold by NSO, an Israeli software company, which leveraged three iOS zero-days.
Becoming increasingly commoditised
Shepherd said that SandCat, suspected to have links with Uzbekistan state intelligence, has been using zero-days in operations against targets in the Middle East.
BlackOasis, which could have acquired zero-day from private company Gamma Group, has demonstrated similarly frequent access to zero-day vulnerabilities in the Middle East.
“We believe that some of the most dangerous state-sponsored intrusion sets are increasingly demonstrating the ability to quickly exploit vulnerabilities that have been made public. In multiple cases, groups linked to these countries have been able to weaponise vulnerabilities and incorporate them into their operations, aiming to take advantage of the window between disclosures and patch application,” he said.
Even though financially-motivated groups continue to leverage zero-days in their operations, he said that they are less frequent than state-sponsored groups.
“Countries with the strongest capabilities are Russia, China, North Korea, the US, Iran and Israel, apart from other countries. We typically see Russia and China deploying these tools most broadly,” he said.
Moreover, he said that access to zero-day capabilities is becoming increasingly commodified and state groups will continue to support internal exploit discovery and development.
However, he said that buying zero-days from private companies may offer a more attractive option than relying on domestic solutions or underground markets.