An increase last year in the number of zero-day vulnerabilities exploited in the wild was driven in part by spyware vendor activity across the commercial surveillance market and exploitation efforts by espionage groups linked to the People’s Republic of China (PRC), according to a new Google report.
In 2023, Google researchers observed 97 flaws exploited in the wild, which is up 50 percent from 2022, but still below 2021’s 106 in-the-wild zero days. While exploitation activity has been highlighted across a number of high-profile zero-day flaws over the past year - such as ones in Barracuda’s ESG - tracking these patterns more broadly is critical because it reflects the behaviors of both attackers and defenders. On the threat landscape side, these numbers give a view into who is utilizing specific zero-day flaws, what types of vulnerabilities they are targeting and how they are using them. But on the other side of the coin, the research lays out the impacts of the defensive work by companies to make exploitation of these types of vulnerabilities more difficult.
“Over the years we’ve learned that the quicker we discover and patch attackers’ bugs, the shorter the lifespan of the exploit, and the more it costs attackers to maintain their capabilities,” according to Maddie Stone with Google’s Threat Analysis Group and James Sadowski with Mandiant Intelligence in the Wednesday report. “As an industry, we must now learn how to take those lessons and apply them to the wider ecosystem of vendors that are now finding themselves under attack.”
While tracking zero-day exploitation behaviors, researchers found that commercial surveillance vendors were behind 75 percent of known zero-day exploits that targeted Google products and Android devices, and drove 55 percent of exploits of iOS and Safari. Despite efforts by the U.S. government to curb the burgeoning commercial surveillance market, Google researchers said that commercial surveillance vendors, along with their government customers using their services, drove half of attributed zero-day exploitation by government actors in 2023.
“The commercial surveillance industry has emerged to fill a lucrative market niche: selling cutting edge technology to governments around the world that exploit vulnerabilities in consumer devices and applications to surreptitiously install spyware on individuals’ devices,” said researchers. “Private sector firms have been involved in discovering and selling exploits for many years, but we have observed a notable increase in exploitation driven by these actors over the past several years.”
“The wider proliferation of technology has made zero-day exploitation more likely as well: simply put, more technology offers more opportunity for exploitation.”
Researchers also attributed 12 separate zero-day flaws to PRC-linked cyber threat groups last year. PRC threat groups have for several years been a dominant actor in targeting zero-days for espionage purposes. This year was no different, with researchers in particular highlighting UNC3886, which targeted a VMware zero-day flaw for two years before it was discovered.
At the same time, attackers are focusing on vulnerabilities that reside in products or services with valuable levels of data, permissions and access. Researchers observed a 64 percent increase in the exploitation of enterprise-specific technologies last year, for instance, with 36 out of the 97 vulnerabilities targeting enterprise-focused products like security software and devices (the remaining 61 flaws impacted end user platforms, like mobile devices, operating systems and browsers). At the same time, attackers shifted their focus to third-party components and libraries that could have wide-reaching impacts if exploited.
“Zero-day exploitation is no longer just a niche capability accessible to only a handful of actors, and we anticipate that the growth we have seen across the last few years will likely continue, as vendors continue to make other avenues of compromise less accessible and as threat actors focus increasing resources on zero-day exploitation,” said researchers. “The wider proliferation of technology has made zero-day exploitation more likely as well: simply put, more technology offers more opportunity for exploitation.”
Researchers have also tracked security investments on the vendor side to see what kind of influence they have had for exploitation. For instance, Apple’s Lockdown mode - its set of security capabilities in iOS 16 - has successfully prevented exploitation of various exploit chains. Meanwhile, Google’s MiraclePtr project, aimed at protecting against use-after-free vulnerabilities in the Chrome browser, has also seemingly worked: In 2023 researchers said there were no use-after-free flaws exploited in Chrome for the first time since they started observing Chrome zero days in-the-wild.
“This demonstrates how these investments are making a real impact on the safety of users and forcing attackers to spend the time to research new attack surfaces and find new bug patterns,” said Stone and Sadowski. “We hope to see the continued investment as well as other products and vendors following this lead as well.”