Home | Search

2026-01-18

Low-value cyberattacks are spray-and-pray

Disclaimer

• Quick Note

2026-01-18

Update

Zero days are often found on parts of the stack everyone uses.

• When searching for zero days, it often seems more useful to search for zero days in systems everyone uses, like operating systems, word processors, routers, cloud providers, etc. Many people are depending on the same codebases and infra, so attacking these is often very profitable for attackers. It often seems less profitable to find a vulnerability in one specific target's codebase, unless this is a high value target.
• Since searching for zero days takes multiple months (or years) of top hacker's time, a lot of attacks and defence are done based on the financial costs and benefits, as opposed to political/ideological motivations. Govts and the large companies they work with have the largest budgets for this.
• I still want to learn to read CVE databases in detail, and maybe classify them into these categories (affects everyone versus affects one target, money as motivation versus ideology as motivation)

2025-11-20

Most low value cyberattacks are very spray-and-pray. They are not aimed at specific targets.

• I played around with shodan and censys scans.
  • There's like 20k unsecured webcams. It might be possible to have gpt5 search all the feeds for blackmail material and then either extort money or just generally ruin your political opponent's lives. But these 20k cams are random, so it is unlikely your specific target will be included there.
  • There's atleast 10k machines running older versions of redis and sal instances, possibly poorly configured. Many of them have already been compromised by someone else, so l can't do much here. Some of the compromised machines have crypto miners running, I found some shell scripts.
• I have previously looked into torrents of databases of breached passwords.
  • haveibeenpwned blogs about it and collects all the data in an organised format. But you can just go get the torrents directly. This too is a list of random users with passwords.
• Similarly, whenever a new CVE drops, usually there's news articles on which actors were most badly hit.
  • Again this list is usually a random list, not a specific set of targets someone wanted to hit.

If you're a govt actor like US or Israel, you can do attacks aimed at specific targets.

• You can do so much spray-and-pray that it becomes bulk surveillance and everyone ends up in your dragnet. This can then help you do targeted attacks.
• You can obviously get full access to all the data of tech companies, and can tap all the routers, and tap all the fiber optic cables inside your geopolitical territory. The NSA Prism stuff basically.
• You can pair hacking with esionage. For example, in the specific documents Snowden leaked, there are specific exploits that first require a spy to jump an airgap, insert a usb drive and then only the hack begins. Spies must be willing to risk imprisonment to do this. It is much easier to find people willing to risk imprisonment for you if you're a govt actor, as opposed to a private one.

Subscribe

Enter email or phone number to subscribe. You will receive atmost one update per month

Comment

Enter comment