Security

Half of actively exploited zero-day issues in H1 2022 are variants of previous flaws

Google Project Zero states that in H1 2022 at least half of zero-day issues exploited in attacks were related to not properly fixed old flaws.

Google Project Zero researcher Maddie Stone published a blog post that resumes her speech at the FIRST conference in June 2022, the presentation is titled “0-day In-the-Wild Exploitation in 2022…so far“.

Stone revealed that nine out of 18 zero-day flaws detected and disclosed as exploited in-the-wild in 2022 are variants of previously patched vulnerabilities

“As of June 15, 2022, there have been 18 0-days detected and disclosed as exploited in-the-wild in 2022. When we analyzed those 0-days, we found that at least nine of the 0-days are variants of previously patched vulnerabilities. At least half of the 0-days we’ve seen in the first six months of 2022 could have been prevented with more comprehensive patching and regression tests.” wrote Stone. “On top of that, four of the 2022 0-days are variants of 2021 in-the-wild 0-days. Just 12 months from the original in-the-wild 0-day being patched, attackers came back with a variant of the original bug.”

This means that in many cases the attacks were not so sophisticated, instead threat actors that exploited the issue were able to come back and trigger the known vulnerability through a different path.

For example, the recently discovered Follina Windows vulnerability, tracked as CVE-2022-30190, is a variant of the CVE-2021-40444 MSHTML zero-day.

The following table includes the list of the zero-day and the associated variants:

Product2022 ITW 0-dayVariant
Windows win32kCVE-2022-21882CVE-2021-1732 (2021 itw)
iOS IOMobileFrameBufferCVE-2022-22587CVE-2021-30983 (2021 itw)
WindowsCVE-2022-30190 (“Follina”)CVE-2021-40444 (2021 itw)
Chromium property access interceptorsCVE-2022-1096CVE-2016-5128 CVE-2021-30551 (2021 itw) CVE-2022-1232 (Addresses incomplete CVE-2022-1096 fix)
Chromium v8CVE-2022-1364CVE-2021-21195
WebKitCVE-2022-22620 (“Zombie”)Bug was originally fixed in 2013, patch was regressed in 2016
Google PixelCVE-2021-39793** While this CVE says 2021, the bug was patched and disclosed in 2022Linux same bug in a different subsystem
Atlassian ConfluenceCVE-2022-26134CVE-2021-26084
WindowsCVE-2022-26925 (“PetitPotam”)CVE-2021-36942 (Patch regressed)

“When 0-day exploits are detected in-the-wild, it’s the failure case for an attacker. It’s a gift for us security defenders to learn as much as we can and take actions to ensure that that vector can’t be used again. The goal is to force attackers to start from scratch each time we detect one of their exploits: they’re forced to discover a whole new vulnerability, they have to invest the time in learning and analyzing a new attack surface, they must develop a brand new exploitation method.” continues Stone. “To do that effectively, we need correct and comprehensive fixes.”

To properly address zero-day vulnerabilities Google researchers recommend platform security teams and other independent security researchers to invest in root cause analysis, variant analysis, patch analysis, and exploit technique analysis.

“Transparently sharing these analyses helps the industry as a whole as well. We publish our analyses at this repository. We encourage vendors and others to publish theirs as well.” concludes Stone. “This allows developers and security professionals to better understand what the attackers already know about these bugs, which hopefully leads to even better solutions and security overall.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

US Government officials targeted with texts and AI-generated deepfake voice messages impersonating senior U.S. officials

FBI warns ex-officials are targeted with deepfake texts and AI voice messages impersonating senior U.S.…

16 hours ago

Shields up US retailers. Scattered Spider threat actors can target them

Google warns that the cybercrime group Scattered Spider behind UK retailer attacks is now targeting…

19 hours ago

U.S. CISA adds Google Chromium, DrayTek routers, and SAP NetWeaver flaws to its Known Exploited Vulnerabilities catalog<gwmw style="display:none;"></gwmw>

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Google Chromium, DrayTek routers, and SAP NetWeaver…

1 day ago

Pwn2Own Berlin 2025 Day Two: researcher earned 150K hacking VMware ESXi

On day two of Pwn2Own Berlin 2025, participants earned $435,000 for demonstrating zero-day in SharePoint,…

2 days ago

New botnet HTTPBot targets gaming and tech industries with surgical attacks

New botnet HTTPBot is targeting China's gaming, tech, and education sectors, cybersecurity researchers warn. NSFOCUS …

2 days ago

Meta plans to train AI on EU user data from May 27 without consent

Meta plans to train AI on EU user data from May 27 without consent; privacy…

2 days ago