Pierluigi Paganini March 28, 2024

Google’s Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively exploited zero-day vulnerabilities in 2023.

Google’s Threat Analysis Group (TAG) and its subsidiary Mandiant reported that in 2023 97 zero-day vulnerabilities were exploited in attacks, while in 2022 the actively exploited zero-day flaws were 62.

In 2023, Google (TAG) and Mandiant discovered 29 out of 97 vulnerabilities exploited in the wild.

In 2023, the researchers observed 36 zero-day vulnerabilities exploited in the wild targeting enterprise-specific technologies, while 61 vulnerabilities affected end-user platforms and products such as mobile devices, operating systems, browsers, and other applications.

The researchers reported that the investments into exploit mitigations for across browsers and operating systems are impacting the offensive capabilities of threat actors.

Out of the eight in-the-wild zero-day issues targeting Chrome in 2023, none of the vulnerabilities impacted the Document Object Model (DOM) and there were use-after-free issues.

“In 2023 there were no use-after-free vulnerabilities exploited in Chrome for the first time since we began seeing Chrome zero days in-the-wild. Both Chrome and Safari have made exploiting JavaScript Engine vulnerabilities more complex through their V8 heap sandbox and JITCage respectively. Exploits must now include bypasses for these mitigations instead of just exploiting the bug directly.” reads the report published by Google TAG.

The researchers reported that Lockdown mode on iOS makes it difficult for attackers to exploit zero-day flaws.

In 2023, the researchers observed a surge in zero-day vulnerabilities in third-party components and libraries that can impact all products that use them.

In 2023, the researchers attributed a combined total of 48 out of 58 zero-day vulnerabilities to commercial surveillance vendors (CSVs) and government espionage actors, while 10 zero-day flaws were attributed to financially motivated actors.

The financially motivated threat actors exploited a total of ten zero-day vulnerabilities, and the cybercrime group FIN11 was one of the most active with the active exploitation of three separate zero-day flaws. The researchers also tracked at least four ransomware groups exploiting four zero-day vulnerabilities.

“FIN11 appears to have invested heavily in zero-day exploitation in the last several years. From late 2020 to early 2021, the group also exploited multiple zero-day vulnerabilities in Accellion’s legacy File Transfer Appliance (FTA), demonstrating a years-long focus by these actors on identifying and exploiting zero-days. Additionally, we tracked the exploitation of four additional zero-day vulnerabilities by four ransomware families in 2023.” continues the report.

The Chinese government made the headlines because government-linked APT groups exploited 12 zero-day vulnerabilities in 2023, which marks a notable increase from seven in 2022.

“While it is near impossible to predict the number of zero-days for 2024, it remains clear that the pace of zero-day discovery and exploitation will likely remain elevated when compared to pre-2021 numbers. Regardless of the number, it is clear that the steps we as security researchers and product vendors are taking are having an impact on attackers. However, we must recognize that our successes will likely manifest as actors increasingly targeting wider and more varied products, as the tried and true methods increasingly become less viable.” concludes the report. “Zero-day exploitation is no longer just a niche capability accessible to only a handful of actors, and we anticipate that the growth we have seen across the last few years will likely continue, as vendors continue to make other avenues of compromise less accessible and as threat actors focus increasing resources on zero-day exploitation.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, zero-day vulnerabilities)