A new report from Google’s Threat Intelligence Group (GTIG) finds that 75 zero-days were exploited in the wild last year, with a little over half involving spyware.
The spyware comes from a mix of foreign espionage groups, particularly those based in China and North Korea, and international commercial providers such as Paragon Solutions and NSO Group. Some of 2024’s most notable zero-days hit Cisco, Palo Alto Networks and Ivanti.
Use of zero-days down from 2023, but big year-to-year swings continue
The total of zero-days exploited in the wild came down from 2023, when 98 were observed, but continues a general pattern of up-and-down swings that has run for some years now. The GTIG believes that new developments tend to push these numbers in different directions each year, sometimes in unpredictable ways; for example, 2024 saw improved vendor hardening against exploits but also improvements by commercial spyware vendors that make them more difficult to detect. Overall, the trendline over the last few years has been slow and steady overall growth of exploitation of zero-days despite the zigs and zags of individual years.
There are some small increases in targeting of certain elements, as well. Exploitation of enterprise-specific technologies continues to increase, rising from 37% to 44% of incidents involving zero-days in 2024. There was also an increase in targeting of security and networking vulnerabilities in incidents involving enterprise technologies (60%).
Though enterprise technologies are an increasingly popular target in the business world, over half (56%) of the zero-days were directed at everyday end-user products. Attacks on browsers and mobile devices dropped from 2023 numbers, but overall attacks on operating systems increased, particularly Windows. Microsoft’s OS has seen zero-days directed at it steadily rise from 13 in 2022 to 22 in 2024. While Android attacks were down, when a multiple-attack chain is deployed it is being used against a mobile device 90% of the time. And though browser attacks were also down overall, Chrome leads the pack (likely due to its gigantic market share).
The majority of the spyware exploits, a little over 50%, involved cyber espionage operations. This was a mix of the usual suspects such as Chinese and North Korean APT groups, and other governments making use of commercial spyware. Customers of these services were linked to eight of the documented zero-days, while North Korean and Chinese groups each racked up five.
Spyware for actual spying relatively rare outside of state-sponsored groups
Among nation-states, North Korea and China unsurprisingly topped the list of zero-days exploited in 2024. Russia accounted for three more, South Korea for one, and another three were strongly suspected to be used by APT groups but not attributed to a particular nation.
Collectively that accounts for 17 of the 34 zero-days used for espionage purposes in 2024. So who else is in the spyware market? Eight more are chalked up to presumably government clients of assorted commercial surveillance vendors (CSVs). That leaves five deployed by non-state actors conducting financially motivated espionage, and four used by “uncategorized” (UNC) groups that have not clearly emerged as either state-backed or private money-motivated actors. One of these groups, tentatively labeled as “FIN11,” has made a point of attacking file transfer software and has been seen exploiting zero-days several times now dating back to 2021.
An important pattern to understand is that while each year has seen some significant peaks and valleys since, exploitation of zero-days underwent a major spike from prior years in 2021 that these numbers continue to stay well above. Much of that is an increase in zero-days that hit some of big tech’s biggest names: 26 for Microsoft, 11 for Google and five for Apple. Ivanti racking up seven and taking the third place spot among organizations is a new development, however, the first time a smaller vendor has found themselves among the ranks of the always heavily targeted big tech firms.
The GTIG researchers note that zero-days are a “manageable” problem for huge and well-resourced tech firms like Google and Microsoft, but can be much more catastrophic for smaller outfits and require them to retool their entire development practices. The researchers also project that exploitation of zero-days in the wild will only become more frequent over at least the next few years.
Evan Dornbush, CEO, Desired Effect, points out that these numbers also should not be regarded as a comprehensive summary of either use of zero-days or their prevalence in spyware: “To some degree, we have to assume that these numbers are conservative given how many successful attacks go unreported. That said, zero day attacks are indicative of how the cyber tools and practices available to defenders are inherently designed for a reactive approach to executing a security strategy. The lack of inter-operability or a single-pane of glass, the need to process massive amounts of data, and the increasing complexity of the latest cyber technology leaves defenders at a disadvantage and always susceptible to zero day attacks.”
The central takeaway for organizations is that enterprise technologies that operate with a broad level of permissions are under heavy fire from advanced attackers, particularly those that cannot be monitored with EDR tools. This could mean adding layers such as NDR, but to a great degree it will also likely rely on careful selection of vendors that have strong security records and inventorying equipment to keep on top of end-of-life products.
