Experts warn of a surge in zero-day flaws observed and exploited in 2021

The number of zero-day vulnerabilities exploited in cyberattacks in the wild exploded in the last years, security firm report.

Google and Mandiant have published two reports that highlight a surge in the discovery of zero-day flaws exploited by threat actors in attacks in the wild.

Google’s Project Zero researchers reported that 58 zero-day were discovered in 2021 (28 zero-day were detected in 2020), which marks a record for the company since it started tracking these issues in mid 2014.

“While we often talk about the number of 0-day exploits used in-the-wild, what we’re actually discussing is the number of 0-day exploits detected and disclosed as in-the-wild. And that leads into our first conclusion: we believe the large uptick in in-the-wild 0-days in 2021 is due to increased detection and disclosure of these 0-days, rather than simply increased usage of 0-day exploits.” reads the report published by Google Project Zero.

Google experts pointed out that the situation is going better compared to the past, now all vendors agree to disclose the in-the-wild exploitation status of the zero-day flaws in their security bulletins and technical details of the exploits are shared more widely.

Google researchers reported that the exploitation of the zero-days they saw in 2021 was not different from the past.

Giving a close look at the type of 0-zays observed by Google, 39 out of 58 (67%) are memory corruption vulnerabilities, 17 are use-after-free, 6 out-of-bounds read & write, 4 buffer overflow, and 4 integer overflow flaws.

“Memory corruption vulnerabilities have been the standard for attacking software for the last few decades and it’s still how attackers are having success. Out of these memory corruption vulnerabilities, the majority also stuck with very popular and well-known bug classes,” continues Google’s report.

Mandiant researchers also published a report warning of the surge in the number of zero-day exploited in 2021, according to the company 80 zero-day issues were exploited last year, which is more than double the previous record volume in 2019. Mandiant states that From 2012 to 2021, China exploited more zero-days than any other nation.

Most of the zero-days discovered by the company were exploited by nation-state APT groups. The experts also observed an increase use of zero-day exploits by financially motivated threat actors, particularly ransomware groups.

“State-sponsored groups continue to be the primary actors exploiting zero-day vulnerabilities, led by Chinese groups. The proportion of financially motivated actors—particularly ransomware groups—deploying zero-day exploits also grew significantly, and nearly 1 in 3 identified actors exploiting zero-days in 2021 was financially motivated.” reads the report published by Mandiant.

From 2012 to 2021, China-linked threat actors exploited more zero-days than any other nation-state actors.

The experts reported that since 2012 at least 10 separate countries have likely exploited zero-days, the researchers also observed private vendors emerging as “significant exploit brokers” in 2021.

“We suggest that significant campaigns based on zero-day exploitation are increasingly accessible to a wider variety of state-sponsored and financially motivated actors, including as a result of the proliferation of vendors selling exploits and sophisticated ransomware operations potentially developing custom exploits.” concludes the report.”The marked increase in exploitation of zero-day vulnerabilities, particularly in 2021, expands the risk portfolio for organizations in nearly every industry sector and geography.”

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, zero-days)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.