Forty-one actively exploited zero-day vulnerabilities were detected and disclosed in 2022, making it the second-highest recorded year since 2014, according to new research by Google.
Maddie Stone, security researcher with Google's Threat Analysis Group, published the vendor's fourth annual review of zero-days in a blog post Thursday. While the number represented a significant decrease from the 69 zero-day bugs disclosed in 2021, Stone detailed an alarming trend of attackers leveraging variants of previously reported vulnerabilities.
In 2020, Google found that 25% of actively exploited zero-days were connected to previously disclosed vulnerabilities. Last year, the number rose to more than 40%, or 17 of the 41 disclosed zero-day vulnerabilities. Stone emphasized that more than 20% of the flaws were variants of previous zero-days, including seven from 2021 and one from 2020.
"Two key factors contributed to the higher than average number of in-the-wild 0-days for 2022: vendor transparency & variants," Stone wrote in the blog post. "The continued work on detection and transparency from vendors is a clear win, but the high percentage of variants that were able to be used in-the-wild as 0-days is not great."
Part of the problem, Stone said, might be due to insufficient vendor patching. Vulnerabilities are being fixed less comprehensively, creating the opportunity for more variants. According to the blog post, Google considers a patch complete when the fix no longer allows any exploitation of the vulnerability.
"Many times we see vendors block only the path that is shown in the proof-of-concept or exploit sample, rather than fixing the vulnerability as a whole. Similarly, security researchers often report bugs without following up on how the patch works and exploring related attacks," she wrote.
One example occurred in December of last year when CrowdStrike discovered that Play ransomware actors had bypassed previous Microsoft ProxyNotShell mitigation to gain Exchange server access. The new exploit technique eliminated the need to use the Autodiscover endpoint, which was the focus of Microsoft's fix, to reach the PowerShell remoting service. Attackers then leveraged CVE-2022-41080 with one of the ProxyNotShell flaws tracked as CVE-2022-41082 to achieve remote code execution through Outlook Web Access.
CVE-2022-41082 was one of the 17 zero-day vulnerabilities that turned into variants listed in Google's blog. Another was CVE-2022-30190, a Microsoft Windows zero-day vulnerability dubbed "Follina," for which Microsoft received criticism from Tenable regarding disclosure transparency.
On the other hand, Stone highlighted how the variant research can be seen as a positive. Eliminating the attack vector could help relieve the threat landscape. "We have a clear path toward making 0-days harder. If more vulnerabilities are patched correctly and comprehensively, it will be harder for attackers to exploit 0-days," she wrote.
Android users beware
The blog post highlighted additional good and bad news findings. Unfortunately for Android users, Google researchers discovered known vulnerabilities, or n-days, that essentially equated to zero-days for Android due to a lack of timely patching issues. The vendor observed that attackers didn't need zero-day exploits to attack the Android ecosystem because in many cases, patches weren't available for known flaws, which were then exploited on unpatched devices.
However, browser security appeared to improve in 2022. New browser mitigations contributed to a decrease in zero-day vulnerabilities affecting browsers. Google also observed that many attackers moved toward zero-click exploits, which "usually target components other than the browser."
Lastly, Stone cited an uptick in vulnerability sharing. In 2022, there were more frequent reports of separate attackers using the same vulnerabilities. In addition, bugs that security researchers reported were later discovered to be used by attackers. That's where some good news comes in.
"When an in-the-wild 0-day targeting a popular consumer platform is found and fixed, it's increasingly likely to be breaking another attacker's exploit as well," she wrote.
Stone emphasized that the figures in the year-in-review report don't necessarily signal an increase or decrease in how secure the landscape is. The numbers are used to analyze contributing factors to determine what led to successes and address the challenges. Based on 2022 findings, Stone said the largest area that requires focus is the "industry's response to reported vulnerabilities."
Recommendations included timely fixes and mitigations so that users can protect themselves, performing detailed root cause analyses, sharing as many technical details as possible, and capitalizing on reported vulnerabilities to understand what needs to be accomplished.
Mandiant analysts James Sadowski and Casey Charrier released a separate 2022 zero-day exploitation report in March that showed similar findings, although higher total zero-days than Google's report. While Mandiant is now part of Google Cloud, the acquisition was only completed in September 2022.
"Mandiant tracked 55 zero-day vulnerabilities that we judge were exploited in 2022. Although this count is lower than the record-breaking 81 zero-days exploited in 2021, it still represents almost double the number from 2020," Sadowski and Charrier wrote in the report.
Arielle Waldman is a Boston-based reporter covering enterprise security news.