Zero-day vulnerability exploitation soaring, experts say
Researchers with Mandiant and Google Project Zero say they observed significant increases in exploitation of zero-day vulnerabilities over the past year.
The volume of attacks targeting zero-day vulnerabilities has soared over the past year and is likely to continue.
This is according to a pair of reports from security vendors that tracked attack trends over 2021 and found that both the number and intensity of attacks on previously unknown vulnerabilities were up significantly.
Mandiant said that its team logged a total of 80 zero-day bugs being exploited in the wild over the course of 2021. The figure is more than the previous three years combined (30 in 2020, 32 in 2019 and 16 in 2018).
According to Mandiant, the staggering rise in zero-day vulnerability exploitation is not necessarily due to one factor, with one significant factor being an increase in defensive systems and networks catching incoming attacks.
"We suggest that a number of factors contribute to growth in the quantity of zero-days exploited," Mandiant said in its report.
"For example, the continued move toward cloud hosting, mobile, and Internet-of-Things (IoT) technologies increases the volume and complexity of systems and devices connected to the internet --put simply, more software leads to more software flaws."
Security researchers at Google Project Zero similarly logged a jump in the number of active zero-day attacks it logged over the last year. Project Zero's team spotted 58 attacks in the wild, more than double its 2020 tally. Google last month agreed to acquire Mandiant for $5.4 billion, but the two reports are based on separate research efforts.
Google's figure may even be on the low side, as Project Zero noted that only attacks that are spotted and verified in the wild can be counted, and it is possible that many more attacks had slipped past security vendors and researchers.
Mandiant and Project Zero are not alone in their findings. Rapid7 noted a similar trend, as well as a reduction in overall time-to-exploit for all security flaws.
One particular area where the Project Zero crew noticed an increase in zero-day vulnerability disclosures was in attacks that were spotted and reported by the vendor that developed the software under attack.
"Whether or not these vendors were previously working on detection, vendors seem to have found ways to be more successful in 2021," the Project Zero team reported.
"Vendors likely have the most telemetry and overall knowledge and visibility into their products so it's important that they are investing in (and hopefully having success in) detecting 0-days targeting their own products."
According to Mandiant, state-sponsored hacking operations are still the most common sources of zero-day attacks, with China leading the way. Russia and North Korea were found to be second and third, respectively.
While state-backed groups are more likely to be wielding zero-days, private cybercrime groups are increasingly finding and exploiting zero-day flaws.
"From 2014-2018, we observed only a small proportion of financially motivated actors exploit zero-day vulnerabilities, but by 2021, roughly one third of all identified actors exploiting zero-days were financially motivated," Mandiant said.
"We also noted new threat clusters exploit zero-days, but we do not yet have sufficient information about some of these clusters to assess motivation."