A new study from FireEye Mandiant Threat Intelligence and Google’s Project Zero found that 2021 was a record year for zero-day vulnerabilities, more than doubling the amount seen in 2020. As has been the case since these annual studies began, steady gains in these vulnerabilities are in part driven by private security companies finding and selling these exploits as an offensive capability. But the new study finds an alternate explanation for the sudden increase in numbers; detection and public knowledge have also gone up considerably.
Spike in zero-day vulnerabilities may be tied to better detection and disclosure
Google recently announced an acquisition of Mandiant, but the two companies have independently tracked zero-day vulnerabilities and issued annual reports since 2019. Google’s Project Zero counted 58 in 2021, more than double the 25 logged in 2020 and the previous all-time record of 28 in 2015. Mandiant counted almost triple the zero-day vulnerabilities in 2021; 80 in total, up from 30 in 2020.
However, these numbers reflect zero-days that were detected and disclosed but not necessarily put into use. Project Zero believes the spike in numbers is primarily owed to improved detection and communication, rather than a massive surge in the actual amount that has surfaced. The researchers saw a consistent pattern in recent years in how attackers identify and use vulnerabilities, with most of 2021’s zero-days bearing similarities to those that have surfaced in recent years (i.e. similar oversights in code). The researchers said that only two in the previous year stood out in terms of advanced technical capability.
The Project Zero researchers also noted that much more information was available about zero-day vulnerabilities in 2021 than in any previous year. This came after the theme of the 2019 report was the “detection deficit” that rendered studies of this nature of limited use, which improved significantly in the previous year due to a combination of things: greater investment in detection by relevant organizations (such as vendors scanning their own products with telemetry tools), a higher number of reports about zero-days used in the wild than ever before, and both vendors and security organizations improving their bulletins and advisories to address this specific issue.
While Mandiant did not offer the precise same interpretation of their results, the theme was similar: the firm believes that increased enterprise adoption of cloud, mobile and IoT services has in turn led to increased security scanning and detection in the market.
Though the results of these studies point to a “normal” amount of zero-days, at least in terms of the past decade or so, Bud Broomhead (CEO at Viakoo) warns that this particular threat has been tracking in a more dangerous direction thanks particularly to proliferation of IoT devices: “Threat actors are shifting their attack vectors away from vulnerabilities that traditional threat assessment and detection solutions would uncover. That’s why not just zero day threats, but also exploiting IoT vulnerabilities and leveraging open source software are rapidly growing enterprise threats … Many organizations outside of IT manage devices that are susceptible to zero day attacks (e.g. IoT devices traditionally managed by manufacturing, facilities, and other lines of business). Providing those organizations with the tools, budget, and training to secure the devices they manage is critical to stopping fast growing attack vectors like zero day.”
Saumitra Das, CTO and Cofounder of Blue Hexagon, additionally points out that while “zero day” calls to mind a brand new exploit it can actually be something that has sat dormant in code for years that has only just reached public awareness: “Zero-day exploits and variants of malware that go after them have been on consistent rise as attackers invest in automation and research. Many of the zero-days discovered in old software like print spooler (print nightmare) are being discovered by overseas research teams. These can then be weaponized at scale and quickly by attackers using mutated malware to get in. In many cases, attackers use an existing foothold and simply try out a new POC at a victim.”
Zero-day efforts aimed at operating systems, tech giants
Leaders among individual pieces of software with zero-day vulnerabilities that appeared in 2021 were Chromium (10), Windows (10), Safari WebKit (7), Android (7), iOS (5), Microsoft Exchange Server (5) and Internet Explorer (4). One point of interest is that messaging apps attract a disproportionate amount of interest from attackers, and yet only one zero-day was discovered in this category in 2021 (the exploit of iMessage infamously used by the Pegasus spyware). This continues a pattern of seemingly strong security for major messaging apps, as it is only the second zero-day in the category recorded by Project Zero since 2014.
There is a definite focus on finding zero-day vulnerabilities in the biggest players in the tech market, however, as 75% of 2021’s total collectively belonged to Microsoft, Google and Apple. No surprise here, as compromising an operating system directly is the fastest path to full access to a target device. Project Zero called on the industry to make the discovery and exploitation of zero-day vulnerabilities harder through several specific measures: by sharing exploit samples and detailed descriptions of the techniques seen in attacks, having vendors agree to disclose in-the-wild exploits of vulnerabilities in their security bulletins, and a industry-wide focus on reducing memory corruption vulnerabilities.
Mandiant’s report added some data about the attackers that are exploiting zero-day vulnerabilities, finding that state-sponsored groups are using them most often but that use by financially motivated criminals has been growing. China was the leading exploiter of zero-days, followed by Russia and North Korea. They are not necessarily the ones that are discovering zero-days, however, as exploit brokers continue to do brisk business in the criminal underworld and some security services continue to be ethically flexible in who they provide these offensive capabilities to.
What should organizations be doing to protect themselves from zero-days, given the state of the threat landscape? Scott Gerlach, Co-Founder and CSO at StackHawk, says that a reliance on penetration testing will come back to bite a company eventually; this aspect of cyber security has to be addressed in stages throughout development: “Penetration tests to find weaknesses in your software are great ideas, but they are hyper-inefficient for understanding if you are using a library that has been compromised by a zero-day, or if you have written in a zero-day type vulnerability into your proprietary code. The most efficient way to make sure your third party libraries are protected from zero-days are to use modern tools that look for common vulnerabilities and exposures (CVEs) during development. The most efficient way to protect proprietary code developed by your team is to test for vulnerabilities every time code is checked in. Modern teams are implementing these tools earlier in the development lifecycle so security issues in third party libraries and proprietary code are found faster and developers can fix on the spot. By fixing newly-discovered zero-day issues rapidly organizations can better protect themselves from risk.”