3rd Party Risk Management , Governance & Risk Management , Patch Management

On the Increase: Zero-Days Being Exploited in the Wild

Espionage Groups and Commercial Surveillance Vendors Tied to Many Zero-Day Exploits
On the Increase: Zero-Days Being Exploited in the Wild
Image: Shutterstock

Fresh zero-day vulnerabilities continue to be actively exploited in the wild by attackers, often for surveillance and espionage purposes, Google reports.

See Also: OnDemand Webinar | Third-Party Risk, ChatGPT & Deepfakes: Defending Against Today's Threats

The tech giant's latest review of vulnerabilities exploited by attackers before the flaws came to light publicly - aka zero-day exploits - charts a rise in such vulnerabilities from 62 in 2022 to 97 in 2023. That's just shy of the record-setting 106 zero-day vulnerabilities known to be exploited in 2021.

Zero-day vulnerabilities are dangerous because they allow attackers bent on intelligence-gathering or cybercrime to quietly amass victims, oftentimes without their target knowing until it's too late. Even so, simply counting the number of new zero-day exploits found every year isn't indicative of whether things might be getting better or worse. Such research also cannot account for the quantity of undetected zero-day exploits currently in the wild, although it does shine a light on attackers' strategies.

Of the 97 new zero-day exploits discovered last year, the report from Google's Threat Analysis Group and Mandiant's incident response division attributes 48 of them to commercial surveillance vendors or nation-state espionage campaigns and 10 to financially motivated cybercriminals.

Nation-state hackers backed by Beijing exploited 12 of the vulnerabilities, up from seven in 2022, continuing the Chinese government's zero-day exploit dominance relative to other nations, the researchers said. Meanwhile, commercial spyware vendors accounted for two-thirds of all known mobile and browser zero-day vulnerability exploits last year.

For the 10 zero-days attributed to cybercrime activity, the researchers said the threat group FIN11, which Microsoft and others have tied to the Clop ransomware operation, exploited three different zero-day vulnerabilities, and another four zero-days were separately exploited by at least four ransomware groups: Akira, Clop, LockBit and Nokoyawa.

About two-thirds of the 2023 zero-day vulnerabilities existed in end-user platforms and products such as operating systems, mobile devices, browsers and other applications. The greatest number of new in-the-wild zero-days - 17 - affected Windows, followed by browsers Safari with 11 and Chrome with nine, and mobile operating systems Android and iOS each with nine. No new zero-days in macOS or Firefox came to light in 2023, down from two for each in 2022.

The researchers said many vendors' efforts to secure their software is having an effect. "End-user platform vendors, such as Apple, Google and Microsoft, have made notable investments that are having a clear impact on the types and number of zero-days actors are able to exploit," they said. "Vulnerabilities that were commonplace in years past are virtually nonexistent today."

The Google researchers lauded both Safari and Chrome developers for making JavaScript vulnerabilities tougher to exploit and assessed the impact of Google in 2022 introducing MiraclePtr for Chrome, designed to safeguard against use-after-free vulnerabilities, which until then accounted for half of all flaws found in the browser. "In 2023 there were no use-after-free vulnerabilities exploited in Chrome for the first time since we began seeing Chrome zero-days in the wild," the report said.

Beyond the two-thirds of vulnerabilities found last year in end-user platforms and products, the remaining one-third involved more enterprise-focused technologies, including security software and appliances. These 36 vulnerabilities - an increase of 64% from 2022 - reflect attackers' increasing focus on enterprise vendors, the researchers said. They counted 21 unique vendors' products being targeted with fresh zero-day exploits in 2023, up from 17 the prior year. In-the-wild zero-day attacks in 2023 exploited such products as Barracuda Email Security Gateway, Cisco Adaptive Security Appliance, Ivanti Endpoint Manager Mobile and Sentry, and Trend Micro Apex One.

Measuring the number of zero-day vulnerabilities detected in the wild every year doesn't tell the full story. The result of a surveillance or espionage campaign may not ever come to light, at least for the general public, and may only affect a handful of targets. Conversely, even a single flaw in the hands of an attacker may affect a far greater number of targets, such as the Clop ransomware group's late May 2023 mass exploitation of a zero-day flaw in Progress Software's MoveIT secure file transfer tool. The latest count of victims resulting from that campaign, computed by cybersecurity firm Emsisoft, stands at 2,769 organizations affected and information on at least 95 million individuals being exposed.

While zero-days may get the limelight, another persistent problem is so-called n-days, which are known vulnerabilities exploited by attackers before a victim has installed the patch. Researchers say commercial spyware vendors, APT teams and ransomware groups in particular continue to target critical n-day flaws (see: Likely Chinese Hacking Contractor Is Quick to Exploit N-Days).

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.asia, you agree to our use of cookies.