We're now living in the era of the mega-hack. More than ever, software flaws are being seized on by sophisticated hackers who take these bugs -- and use them to create attacks that compromise the computer systems of thousands of organisations, all at once.
Newly discovered vulnerabilities in Microsoft's Exchange Server provide a good example of this evolution. The flaws were seized on by (likely China-backed) hackers as a way to attack networks, with tens of thousands of systems apparently compromised in a widespread attack. At least 10 other groups are thought to be attempting to use the same exploits, and now cyber criminals are piggy-backing on the original attack in an attempt to deliver ransomware too.
Bugs exists wherever there is software, despite attempts to eradicate them. What we're seeing now is a growing ability and desire from hackers to turn these bugs into attacks. Increasingly, the same software applications and tools are being used by companies around the world. Some may not even be aware of the software code they are relying on, such is the interconnected world of tech products. And even if they do know the software they are using, too many companies fail to update it even when warned about vulnerabilities by software vendors.
Also: Check to see if you're vulnerable to Microsoft Exchange Server zero-days using this tool
Hacking groups have different motivations: state-backed hackers want to gain access to as many systems as possible before deciding which have strategic value (either a source of intelligence or as a stepping-stone to compromising other systems); cyber criminals want to break in where they can to either steal data or deliver money-making ransomware. Either way, threat actors are now sophisticated enough to respond to weaknesses quicker than ever before. That's bad for everyone.
A software flaw doesn't affect just one company, but can put thousands or even tens of thousands at risk as hacking groups seize on a new bug and race to exploit it, breaking into as many systems as possible before a fix is found and applied. Some companies used to think they were too small to be targeted, but will sadly discover that crooks will attack -- and potentially destroy -- their business, just on the off-chance that a ransom will be paid. Others will find that cutting costs by not patching software flaws is a false economy, to say the least.
So what can be done? Projects that aim to fix bugs in everything -- starting with programming languages and the basic code (often open-source) that underpins software applications -- are a start. Encouraging secure code as a standard is a must. Companies must also understand that legacy systems may contain vulnerabilities, and that patching is not optional. Longer-term, the ransomware threat must be addressed and better international rules around state-backed hacking put in place. Neither of those are going to be easy problems to tackle.
Right now, we need to realise that the stakes are increasing -- and rapidly.
ZDNET'S MONDAY MORNING OPENER
The Monday Morning Opener is our opening salvo for the week in tech. Since we run a global site, this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US. It is written by a member of ZDNet's global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and North America.
PREVIOUSLY ON MONDAY MORNING OPENER: