Experts warn of a surge in zero-day flaws observed and exploited in 2021

The number of zero-day vulnerabilities exploited in cyberattacks in the wild exploded in the last years, security firm report.

Google and Mandiant have published two reports that highlight a surge in the discovery of zero-day flaws exploited by threat actors in attacks in the wild.

Google’s Project Zero researchers reported that 58 zero-day were discovered in 2021 (28 zero-day were detected in 2020), which marks a record for the company since it started tracking these issues in mid 2014.

“While we often talk about the number of 0-day exploits used in-the-wild, what we’re actually discussing is the number of 0-day exploits detected and disclosed as in-the-wild. And that leads into our first conclusion: we believe the large uptick in in-the-wild 0-days in 2021 is due to increased detection and disclosure of these 0-days, rather than simply increased usage of 0-day exploits.” reads the report published by Google Project Zero.

Google experts pointed out that the situation is going better compared to the past, now all vendors agree to disclose the in-the-wild exploitation status of the zero-day flaws in their security bulletins and technical details of the exploits are shared more widely.

Google researchers reported that the exploitation of the zero-days they saw in 2021 was not different from the past.

Giving a close look at the type of 0-zays observed by Google, 39 out of 58 (67%) are memory corruption vulnerabilities, 17 are use-after-free, 6 out-of-bounds read & write, 4 buffer overflow, and 4 integer overflow flaws.

“Memory corruption vulnerabilities have been the standard for attacking software for the last few decades and it’s still how attackers are having success. Out of these memory corruption vulnerabilities, the majority also stuck with very popular and well-known bug classes,” continues Google’s report.

Mandiant researchers also published a report warning of the surge in the number of zero-day exploited in 2021, according to the company 80 zero-day issues were exploited last year, which is more than double the previous record volume in 2019. Mandiant states that From 2012 to 2021, China exploited more zero-days than any other nation. 

Most of the zero-days discovered by the company were exploited by nation-state APT groups. The experts also observed an increase use of zero-day exploits by financially motivated threat actors, particularly ransomware groups.

“State-sponsored groups continue to be the primary actors exploiting zero-day vulnerabilities, led by Chinese groups. The proportion of financially motivated actors—particularly ransomware groups—deploying zero-day exploits also grew significantly, and nearly 1 in 3 identified actors exploiting zero-days in 2021 was financially motivated.” reads the report published by Mandiant. 

From 2012 to 2021, China-linked threat actors exploited more zero-days than any other nation-state actors.

The experts reported that since 2012 at least 10 separate countries have likely exploited zero-days, the researchers also observed private vendors emerging as “significant exploit brokers” in 2021. 

“We suggest that significant campaigns based on zero-day exploitation are increasingly accessible to a wider variety of state-sponsored and financially motivated actors, including as a result of the proliferation of vendors selling exploits and sophisticated ransomware operations potentially developing custom exploits.” concludes the report.”The marked increase in exploitation of zero-day vulnerabilities, particularly in 2021, expands the risk portfolio for organizations in nearly every industry sector and geography.”

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, zero-days)

[adrotate banner=”5″]

[adrotate banner=”13″]