Security News > 2021 > March > More on the Chinese Zero-Day Microsoft Exchange Hack

With regards your question, I'm going to answer it in a bit more depth as there is a lot many realy do not realise both from a defenders and attackers point of view.

The level of the attack signal rises and the level of the signals uncorrelated with the Zero Day attack go down do not remain covery long when you can "Go back in time" repeatedly with "Collect it All" databases.

Thus a smart "Covert APT" attacker will not just "Randomize" the Zero Day it's self but all things related from the start/source of the attack and also remove or randomize all artifacts from the attack.

Whilst an examination of early AV history shows past attackers have realised this and attacked accordingly, "We do not appear to be seeing it with Covert APT".

Generating the same signal twice is effectively as fatal to your Zero Day attack, as is using an OTP Key Stream twice or more, as it enables what is an "Attack in depth" which is the same as a Signal Processing function just from a different "Knowledge domain".

Now oddly this was "Known knowledge" back from the earlier days of computer viruses, but for some reason the Zero Day finders/attackers "We see" do not appear to realise this and thus do not change their behaviours accordingly Or more correctly "The defenders are only seeing those attackers that do not take care to randomize their attack signals sufficiently".

News URL

https://www.schneier.com/blog/archives/2021/03/more-on-the-chinese-zero-day-microsoft-exchange-hack.html