Zero-Day Bonanza Drives More Exploits Against Enterprises

The escalating cybersecurity arms race between adversaries and enterprises is behind a rise in the volume of zero-day vulnerabilities exploited last year, according to new research.

Consumer platforms are seeing payoff in their investment in cybersecurity defenses, vendors are responding more quickly to in-the-wild exploits, and the number of zero days discovered each year is improving, according to Mandiant and Google Threat Analysis Group (TAG) research released today. But those gains are being stymied by sophisticated nation-state backed adversaries and a sprawling enterprise attack surface.

The research team reported finding 50% more zero-day vulnerabilities exploited in the wild in 2023 than in 2022. Enterprises are being hit especially hard.

Some of the year-over-year increase can be attributed to a fall-off in the use of n-day vulnerabilities in 2022 — i.e., bugs that are almost immediately exploited after public disclosure, according to researchers Maddie Stone, security engineer at Google TAG, and James Sadowski, Mandiant principal analyst at Google Cloud. But that fad has since faded out among the cybercrime set.

"In 2023, we saw these attackers were forced to switch back to zero-days," the researchers tell Dark Reading. "We also saw both researchers and vendors discovering and disclosing in-the-wild zero-days more quickly and often, further increasing the [reported] volume in 2023."

Cybersecurity Software Hit Hard by Zero-Day Exploits

Investments by end-user platforms in cybersecurity have been successful in driving down exploits on the consumer side, the research showed. The report points to Google's MiraclePtr and Lockdown Mode for iOS as successful tools for stopping exploits in-the-wild.

But enterprises present a far more enticing attack surface, with footprints that consist of software from multiple vendors, third-party components, and sprawling libraries, the report explained. Cybercrime groups have been particularly focused on security software, including Barracuda Email Security Gateway; Cisco Adaptive Security Appliance; Ivanti Endpoint Manager, Mobile, and Sentry; and Trend Micro Apex One, the research added.

"In total, we observed exploitation of nine vulnerabilities affecting security software or devices [in 2023]," The TAG/Mandiant team noted in the report. "Security software is a valuable target for attackers because it often runs on the edge of a network with high permissions and access."

Rather than being purely financially motivated, the research shows espionage was the prevailing motivator behind zero-day exploits in 2023, led by advanced persistent threat (APT) groups backed by the People's Republic of China. The researchers were able to suss out the motivations behind 58 individual zero-day exploits in 2023, and of those, espionage was behind 48 of them. By comparison, in 2021, about a third of zero-day exploits were financially motivated. The report notes the cost and complexity of zero-day exploitation as a likely factor in pushing ransomware groups to pursue simpler routes to enterprise access.

The rise in number of zero days is likely to continue in the coming years, fueled by the enterprise investment in tooling on one side, and nation-state sponsored, sophisticated zero-day hunting on the other.

"Anecdotally it seems likely that security researchers who look for bugs in order to report them to bug bounties so the vendor can fix them are often finding the same bugs as attackers," Mandiant Google researchers Stone and Sadowski explain in their statement.

"The number of 0-days tracked each year is a confluence of positive and negative security factors leading to the growth we tracked across the last decade," the statement continues. "In 2023, we saw a combination of both, including quite a few positives, contributing to the increase in zero-days we tracked."