Hacking is like marketing: and Patch Tuesday is always a campaign launch day

by Arthur · March 13, 2023

Any self-respecting hacker knows to be glued to their laptop this Tuesday.

It’s Patch Tuesday, the monthly Tuesday (falling on a Wednesday Down Under) reaches the world
major software vendors disclose the latest vulnerabilities they have identified in their products
and release the patches needed to fix them.

For cybercriminals, each new vulnerability – or bug – represents a potentially lucrative opportunity,
assuming one of the organizations on their attack list hasn’t moved quickly enough to patch it.
I’m here to remind you, in case you needed it, to stay glued to your laptop this Patch Tuesday
also: so it’s not your organization that gets broken, and your team that cleans up the mess.

Now, I’m no marketing expert (I work in cyber security), but I know how hackers work: and
whether they are a loner in the bedroom, a sophisticated state-based actor or a cartel, their approach is
essentially the same.

So, with apologies to my wonderful and talented marketing colleagues, for me, hacking is basically
marketing for the wicked. This is how.
A hacking campaign tends to start with an initial reconnaissance phase. They have to do their part
homework to understand their end user audience and identify the most likely targets they can
potentially convert to dollars.

That means surveying organizations’ networks to build up an inventory of customers who use them
certain software products, and build an email phishing campaign list.

When a new vulnerability in that product is announced, the hacker can move to exploit it
vulnerability by spamming their mailing list and hoping someone unwittingly clicks on it
shiny link in their dodgy email.

So the time between the vulnerability being announced and a patch being put in place is critical
important, not least because of the time frame between vulnerability announcements and hacking
the activities become shorter and shorter.

Last year we saw a secondary, pre-phishing reconnaissance that happened on one of our customers
sites—to determine whether they patched a newly released vulnerability—within just an hour of that
vulnerability is announced.
I can guarantee you that if there are 10 organizations with a product in the market that is targeted
a cyber gang, not all of whom are going to patch it right away, which creates this window of
criminal opportunity.

And it’s a potentially very lucrative opportunity.

This Tuesday, a cybercriminal might hit up a third-party coder on the Dark Web and say, “Hey, I give up
you a $50,000 in crypto to spin up a quick script to exploit this latest vulnerability and by the way I’m
going to try to make half a billion dollars in ransom on it before it gets patched.”
That’s the kind of return any marketer would die for.

Of course, it’s not just Patch Tuesday that represents a great promotional opportunity for
cybercriminal.

Like any good marketer, they know that timing and emotion matter.

Hackers love it when any merger or acquisition of a publicly traded company is announced. We have seen
they unleash phishing campaigns on leaders on both sides trying to inject malware into theirs
devices to hunt for inside information to act on.

In fact, any time there are a lot of announcements and a lot of confusion or fear is great
possibility of cybercrime.