Oddbean

@663e5b60 Perhaps an obvious statement but the success cl0p experienced through MOVEit most certainly further accelerated TA development, acquisition and use of 0day vulnerabilities. Are we now witnessing the "fruits" of this development and success? I'm a bit tired, but how many of these cases have we had where TAs exploit 0days before they are even known?

@d2a2ed2d I am a threat hunter, not an intel analyst, however I would point out a couple things here. First, MOVEIt exploiters were mostly ransomware actors, who will buy 0-days, but not necessarily develop them. There's a temporal component here as well. I'd have to check the numbers, and it's still early, but it doesn't seem like there's a massive uptick in network device 0-days being released since MOVEIt, which makes sense, given the amount of R&D a brand new 0-day usually takes to develop. It's also the case that cl0p et al were not specifically targeting tech companies with MOVEIt. I suppose it's possible that successful compromise of some vendors led to the discovery of undisclosed critical vulns, but that seems like a rarity. The increased development of network appliance 0-days has been business-as-usual for a while now—at least since CVE-2019-19781 (original Netscaler RCE).

@663e5b60 My thinking was, and it may very well be flawed, that TAs finding and exploiting unknown vulnerabilities like in this instance was, perhaps not novel, but still not entirely common? Sure, announced vulnerabilities have been exploited for a good while especially when PoCs have been released. Then TAs have been pretty quick to take advantage. But again, I may be completely wrong here ans it really is business as usual. :)