@d2a2ed2d I am a threat hunter, not an intel analyst, however I would point out a couple things here. First, MOVEIt exploiters were mostly ransomware actors, who will buy 0-days, but not necessarily develop them. There's a temporal component here as well. I'd have to check the numbers, and it's still early, but it doesn't seem like there's a massive uptick in network device 0-days being released since MOVEIt, which makes sense, given the amount of R&D a brand new 0-day usually takes to develop. It's also the case that cl0p et al were not specifically targeting tech companies with MOVEIt. I suppose it's possible that successful compromise of some vendors led to the discovery of undisclosed critical vulns, but that seems like a rarity. The increased development of network appliance 0-days has been business-as-usual for a while now—at least since CVE-2019-19781 (original Netscaler RCE).
@663e5b60 My thinking was, and it may very well be flawed, that TAs finding and exploiting unknown vulnerabilities like in this instance was, perhaps not novel, but still not entirely common? Sure, announced vulnerabilities have been exploited for a good while especially when PoCs have been released. Then TAs have been pretty quick to take advantage. But again, I may be completely wrong here ans it really is business as usual. :)
@d2a2ed2d Hey you and me both. Until we get another leak like we did with Conti, it's all highly speculative.