Cybersecurity experts are warning that zero-day exploits, which can be used to compromise devices before anyone is aware they’re vulnerable, have become more common as nation-state hackers and cybercriminals find sophisticated ways to carry out their attacks.
Researchers from Google on Wednesday said they observed 97 zero-days exploited in the wild in 2023, compared to 62 in 2022 — a 50 percent increase.
Of the 97 zero-days, the researchers were able to attribute the threat actors’ motivations for 58 of them. Fourty-eight of the vulnerabilities were attributed to espionage actors while the remaining 10 were attributed to financially-motivated hackers.
Three zero-days were exploited by FIN11, and four ransomware gangs — Nokoyawa, Akira, LockBit and Magniber — separately exploited another four. The report notes that FIN11 was behind the 2021 zero-day affecting Accellion’s legacy File Transfer Appliance that was used to attack dozens of high profile institutions.
“FIN11 has focused heavily on file transfer applications which provide efficient and effective access to sensitive victim data without the need for lateral network movement, streamlining the steps for exfiltration and monetization,” the researchers said.
“Subsequently, the large revenues generated from mass extortion or ransomware campaigns likely fuels additional investment by these groups in new vulnerabilities.”
Beijing-linked hackers who were focused on espionage were behind 12 zero-days, up from seven in 2022.
The researchers reported extensively on several Chinese campaigns — including the explicit targeting of Barracuda’s Email Security Gateway — with hackers targeting email domains and users from Ministries of Foreign Affairs of ASEAN member nations as well as individuals within foreign trade offices and academic research organizations in Taiwan and Hong Kong.
Google noted that one zero-day was tied to Winter Vivern, a Belarusian state sponsored cyber group behind several attacks on Ukraine and other European countries. Google said it is the first known instance of reportedly Belarusian-linked espionage groups leveraging zero-day vulnerabilities in their campaigns, suggesting the group “is growing in sophistication.”
In terms of products that were targeted, the researchers found that threat actors sought “vulnerabilities in products or components that provided broad access to multiple targets of choice.”
Enterprise-specific technologies like Barracuda Email Security Gateway, Cisco Adaptive Security Appliance, Ivanti Endpoint Manager Mobile and Sentry and Trend Micro Apex One were repeatedly targeted, the researchers said, adding that these products typically provide widespread access and high-level permissions.
Commercial spyware vendors
This increase in exploitation of enterprise-specific technologies in 2023 was driven mainly by the exploitation of security software and appliances.
Commercial surveillance vendors (CSVs) were the leading culprit behind browser and mobile device exploitation, with Google attributing 75% of known zero-day exploits targeting Google products as well as Android ecosystem devices in 2023 (13 of 17 vulnerabilities).
Maddie Stone, a researcher with TAG, said the most alarming part of Google’s zero-day findings was the high volume of vulnerabilities being exploited in the wild by CSVs and lack of global norms against the industry.
“We have widely documented the harm CSVs cause and yet they continue to make up the majority of in-the-wild 0-days targeting end-users,” she said.
The tech giant reiterated its warning that the commercial surveillance industry continues to sell cutting edge technology to governments around the world that exploit vulnerabilities in consumer devices and applications “to surreptitiously install spyware on individuals’ devices.”
“Private sector firms have been involved in discovering and selling exploits for many years, but we have observed a notable increase in exploitation driven by these actors over the past several years,” they said.
Google said in February that it is tracking at least 40 companies involved in the creation of spyware and other hacking tools that are sold to governments and deployed against “high risk” users, including journalists, human rights defenders and dissidents.
Intra-browser attacks
Google also noted that vulnerabilities in third party components and libraries are “a prime attack surface since they can often affect more than one product.”
In 2023, Google saw this kind of targeting increase in 2023, particularly with browsers. They saw three browser zero-days exploited that were in third party components and affected more than one browser.
The report notes that CVE-2023-4863 affecting Chrome and CVE-2023-41064 affecting Safari are “actually the same bug” — adding that it also affected Android and Firefox. They also cited CVE-2023-5217 — a headline-grabbing vulnerability that emerged last year affecting libvpx. Several other intra-browser tools were exploited last year as well.
Surprisingly, last year there were no in-the-wild zero-days detected that targeted macOS. Google explained that while some of the iOS vulnerabilities identified did also affect macOS due to shared components, the discovered exploit only targeted iPhones.
“In 2023 there were eight in-the-wild zero-days targeting Chrome and 11 targeting Safari. While the tracked Safari zero-days were used in chains targeting iPhones, all except for one of the Chrome zero-days were used in chains targeting Android devices,” the researchers said.
Google warned that it is likely the number of exploited zero-days will continue to increase as more hackers invest heavily in research.
Zero-day exploitation is “no longer just a niche capability accessible to only a handful of actors, and we anticipate that the growth we have seen across the last few years will likely continue, as vendors continue to make other avenues of compromise less accessible and as threat actors focus increasing resources on zero-day exploitation.”
TAG’s Stone told Recorded Future News that the most promising findings from the report were vendor mitigations like Google’s MiraclePtr and Apple’s Lockdown mode, both of which successfully prevent exploitation of many exploit chains used in-the-wild.
“This demonstrates how vendor investments in security can have demonstrable impact on making it more difficult for attackers to exploit users with zero-days,” she added.