Zero Day Detected Exploit Jumped in 2021
According to Mandiant, a new Zero Day, or previously unknown, security vulnerability for which no patch is available was exploited more than once a week in 2021, which saw 80 Zero Days exploited.
Research from the incident response firm suggests that zero-day exploitation – previously largely the preserve of advanced persistent threat (APT) state actors – is now also the domain of financially motivated criminal groups: a third of groups that she identified operating day zero in 2021 were financially motivated.
Among other incidents, the company cited a Russian group attacking critical infrastructure networks with a Sophos firewall product and the effective and widely reported use by Chinese spy groups of the “ProxyLogon” collection of vulnerabilities to mass attack mail servers in January-March 2021.
Google, for its part, in its third annual assessment of zero days exploited in the wild, detected 58 of them; up dramatically from the 25 detected in 2020. Googe’s Project Zero noted in its report, however, that “attackers are succeeding by using the same bug patterns and exploitation techniques and pursuing the same attack surfaces.”
(Google found that when it comes to Zero Day Exploits in 2021, 67% of all bugs were memory corruption vulnerabilities; “the standard for attacking software over the past few decades…”)
The company noted, however, that the sharp increase could be due to increased detection capabilities. The use of zero-day has undoubtedly – when necessary – been prevalent among certain groups for years, but it is becoming increasingly difficult to get away with it undetected by security researchers as well as vendors operating and analyzing their own telemetry to identify exploited bugs in their products.
Google’s Maddie Stone said: “Congratulations and thank you to Microsoft, Google Chrome and Adobe who have been annotating their security bulletins for transparency for several years now! And thanks to Apache who also annotated their release notes for CVE-2021-41773 last year.
“0 days in the wild in Qualcomm and ARM products have been annotated as being in the wild in Android security bulletins, but not in the vendor’s own security advisories. It is very likely that in 2021, other 0-days have been exploited in the wild and detected, but the providers did not mention it in their release notes. In 2022, we hope more vendors will start noticing when they fix vulnerabilities that have been exploited in the wild. Until we are confident that all providers are transparently disclosing nature status, there is a big question as to how many 0 days in the wild are uncovered, but not publicly labeled by providers.
Project Zero’s more detailed breakdown of the Zero Days operated in 2021 is here.
More broadly, the US Cybersecurity and Infrastructure Agency (CISA) is currently tracking 647 known exploited software vulnerabilities. (Security teams can subscribe to its update bulletin here.)