How SecurityScorecard STRIKE Identifies Zero Days in the Wild

The zero-day vulnerability that emerged in Progress Software’s MOVEit Transfer product last year was a stark reminder of the real-world impact of such vulnerabilities. It wreaked havoc on businesses and governments worldwide, with cyber criminals exploiting it since May of 2023. Notable victims include Shell, British Airways, and even the United States Department of Energy. The C10p cybercrime group claimed responsibility for MOVEit, and the breach has affected over 60 million people so far. 

Though zero-day threats aren’t new, MOVEit in particular, has served as a much-needed wakeup call that they are always out there — waiting for the right moment to strike. A security team can do everything right and still experience a zero-day attack in its supply chain. And with innumerable configurations, devices, and platforms that can be exploited, zero-day exploits are becoming more common than ever. 

Zero-day disaster averted 

One near-disaster came recently when a Microsoft developer discovered a backdoor that had been intentionally planted in XZ Utils, an open source data compression utility available on almost all installations of Linux and other similar operating systems. This backdoor appeared to be years in the making, and was just weeks from going live. If it hadn’t been discovered, it would have affected millions of computers worldwide, compromising governments, hospitals, businesses, and critical infrastructure providers without warning. The details of this unsuccessful supply chain attack reveal the dedication and importance threat actors are placing on supply chain vulnerabilities.

SecurityScorecard’s recent Global Third-Party Cybersecurity Breach Report found that 75% of third-party breaches targeted the software and technology supply chain. Further research found that 21% of the S&P 500 companies reported breaches in 2023. Case in point: several years ago, SecurityScorecard STRIKE Threat Research analysts used our Attack Surface Intelligence to find a vulnerability in a hydroelectric dam in Italy that could have been opened if it got into the wrong hands. 

As supply chains become increasingly complex, organizations must be able to track and monitor threats and risks that impact any vendor that holds their data or has access to their systems. But, many organizations often lack the capacity, resources, or expertise to properly identify and mitigate cyber risks that can lead to zero days, increased threat exposure, and unhealthy vendor relationships.

Find and reduce zero-days with SecurityScorecard

Thanks to Zero-Day-as-a-Service (ZDaaS), SecurityScorecard has successfully uncovered zero-days in our customer environments in the last year. These zero-days were first published on nvd.gov/cve.org, then published to cvedetails.com (owned by SecurityScorecard). As a result, we were able to swiftly alert customers to these vulnerabilities. Our Zero-Day-as-a-Service (ZDaaS) is an early warning and detection service that equips organizations to proactively identify and mitigate new and emerging potential zero-day vulnerabilities across their third-party vendor landscape. ZDaaS offers timely analysis and reporting of high-risk threats, empowering security and vendor risk management teams to effectively control these threats wherever they reside, bolstering their vendors’ cybersecurity posture and safeguarding their own business operations. 

ZDaaS also includes monitoring notifications and alerts from vulnerability datasets, such as NIST’s National Vulnerability Database (NVD) and CISA’s Known Exploited Vulnerability Catalog. 

Get proactive about zero-days 

As the only company to offer Zero-Day-as-a-Service, SecurityScorecard can help organizations of all sizes and industries save time and resources while also shielding them from data breaches, financial losses, and reputational damage. By offering greater visibility into an organization’s ecosystem, we can reduce cyber incidents, minimize supply chain risk, and increase our collective cyber resilience.