SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Record rise in zero-day vulnerabilities exposed in Google-Mandiant report
Tue, 2nd Apr 2024

In a major new cybersecurity report released by Google and Mandiant, 97 zero-day vulnerabilities exploited in the wild were reported for the year 2023. This reveals an increase of over 50% compared to the 2022 data, which registered 62 vulnerabilities. However, this recent figure is still below the record 106 vulnerabilities exploited in 2021.

The Google and Mandiant report further noted that 29 of these vulnerabilities were originally discovered by these tech giants themselves. The reported vulnerabilities encompassed two main categories: end-user platforms and products such as mobile devices, operating systems, browsers, and other applications and enterprise-focused technologies, including security software and appliances.

The study identifies a clear trend, suggesting that "the pace of zero-day discovery and exploitation will likely remain elevated" compared to pre-2021 figures. Nonetheless, it does spotlight numerous industry successes and significant progress.

For 58 of these zero-day exploitations, the threat actors’ motivations were accountable; 48 of these infringements were attributed to espionage actors, with financially motivated actors being responsible for the remaining 10. In terms of state sponsorship, the People's Republic of China (PRC) was identified as the leading perpetrator, with 12 zero-day vulnerabilities exploited in 2023, up from seven in 2022.

The report delineated the affected domains of the vulnerabilities, revealing that nearly two-thirds (61) of zero-days impacted end-user platforms and products, such as mobile devices, operating systems, browsers, and other applications. The remaining 36 vulnerabilities, however, targeted enterprise-focused technologies like security software and devices.

The researchers highlighted positive strides, stating that notable investments made by end-user platform vendors, including Apple, Google, and Microsoft, are "having a clear impact on the types and number of zero-days actors are able to exploit."

The report further mentioned a general upward trend in the targeting of enterprises, with a 64% increase in adversary exploitation of enterprise-specific technologies from the preceding year. This trend has been rising steadily since at least 2019. Importantly, in 2023, Google observed an increase in coding errors in "third-party components and libraries" rather than in the products' original code.

Additionally, statistics on the number of zero-days detected and disclosed in specific platforms revealed an increase in both Android and iOS. Nine in-the-wild zero-days that targeted Android were detected and disclosed in 2023, compared to only three in 2022, while iOS saw eight in-the-wild zero-days, a rise from only four in 2022.

In a comparison between browsers, the results showed that in 2023 eight zero-days targeted Chrome versus 11 which targeted Safari.