A growing cybersecurity arms race between adversaries and enterprises is behind the increase in the volume of zero-day vulnerabilities exploited last year, according to new research.
Consumer platforms are seeing the fruits of their investments in cybersecurity defenses, vendors are responding more quickly to exploits in the wild, and the number of zero days discovered each year is improving, according to Mandiant Research and Google Threat Analysis Group (TAG). released today. But these gains are hampered by sophisticated nation-state-backed adversaries and a vast corporate attack surface.
The research team reported finding 50% more zero-day vulnerability exploited in the wild in 2023 compared to 2022. Businesses are particularly hard hit.
According to researchers Maddie Stone, a security engineer at Google, part of the year-over-year increase can be attributed to a decline in the use of n-day vulnerabilities in 2022, i.e. bugs that are exploited almost immediately after public disclosure. TAG and James Sadowski, Mandiant principal analyst at Google Cloud. But that fad has since disappeared from the cybercrime landscape.
“In 2023, we saw these attackers forced back to zero days,” the researchers tell Dark Reading. “We have also seen both researchers and vendors discover and reveal zero-days in the wild more quickly and often, further increasing the [reported] volume in 2023.”
Cybersecurity software hit hard by zero-day exploits
Research has shown that investments by end-user platforms in cybersecurity have been successful in reducing consumer exploits. The report points to Google’s MiraclePtr and Lockdown Mode for iOS as effective tools to stop exploits in the wild.
But companies present a much more attractive attack surface, with footprints made up of software from multiple vendors, third-party components and expanding libraries, the report explains. Cybercrime groups have particularly focused on security software, including Barracuda Email Security Gateway; Cisco Adaptive Safety Appliance; Responsible for the Ivanti endpoint, Mobile and sentry; AND Trend Micro Apex OneResearch added.
“In total, we observed the exploitation of nine vulnerabilities affecting software or security devices [in 2023]” the TAG/Mandiant team noted in the report. “Security software is a valuable target for attackers because it often runs at the edge of a network with high permissions and access.”
Rather than having purely financial motivations, research shows that espionage was the prevalent motivation behind zero-day exploits in 2023, led by US-backed Advanced Persistent Threat (APT) groups. People’s Republic of China. Researchers were able to uncover the motivations behind 58 individual zero-day exploits in 2023, and of these, espionage was behind 48 of them. By comparison, in 2021, about a third of zero-day exploits were financially motivated. The report finds that the cost and complexity of zero-day exploitation is a likely factor driving ransomware gangs to pursue simpler paths to enterprise access.
The increase in the number of zero days is likely to continue in the coming years, fueled on the one hand by corporate investments in equipment and on the other by the sophisticated zero-day hunt sponsored by nation states.
“Anecdotally it seems likely that security researchers looking for bugs to report them to bug bounties so the vendor can fix them often find the same bugs as the attackers,” Mandiant Google researchers Stone and Sadowski explain in their statement.
“The number of 0-days monitored each year is a confluence of positive and negative safety factors leading to the growth we have monitored over the last decade,” the statement continues. “In 2023, we saw a combination of both, including some positives, which contributed to the increase in zero-days we tracked.”