Researchers at the threat intelligence firm Mandiant observed the use of 55 zero-day vulnerabilities in 2022. That’s a decrease from 2021 — when researchers recorded a whopping 81 — but a figure that nonetheless represents an overall rise in recent years of hackers exploiting previously unknown software vulnerabilities, which are a potent tool for digital spies and cybercriminals.
The long-term trend of more frequent deployment of zero-days by state-backed hackers, commercial spyware vendors and online crooks remains on track to continue, said James Sadowski, a principal analyst at Mandiant, which is part of Google. Last year “was largely a story of consistency,” he said.
Chinese state-linked hackers continue to be the most prolific users of zero-day vulnerabilities, exploiting seven such software flaws as part of their cyberoperations in 2022, according to the latest research from Mandiant. The firm observed two instances of Russian state-backed groups deploying zero-days and two instances of North Korean hackers using them.
Of the 16 zero-days that Mandiant researchers said with some confidence they knew how attackers used, cyberespionage groups deployed 13.
In 2022, state-backed hackers exhibited a particular focus on edge network devices such as firewalls and routers, which have grown particularly attractive as endpoint detection software has grown more sophisticated. In a separate report published last Thursday, Mandiant researchers described how Chinese hackers targeted Fortinet and VMWare security products in a bid to maintain persistence on victim networks.
These edge networking devices pose an attractive target for attackers because they are exposed to the internet and often lack the security protections of other endpoint devices.“In many instances, these products aren’t built with security baked in,” Sadowski said, and attacking these types of devices “makes for a very powerful efficient and broad tool.”
While the use of zero-days was once the near exclusive remit of state-backed hackers due to difficulty and cost of obtaining these vulnerabilities, criminal hackers are deploying them more often in their own campaigns. The advent of ransomware has resulted in huge revenues for online criminal groups, and 75% of the zero-day vulnerabilities linked to financially motivated hackers in Mandiant’s data set were linked to ransomware operations.
Tracking the use of zero-day vulnerabilities is a difficult task, and there may be far more attacks involving zero-days than researchers are aware of. This is particularly true of commercial spyware companies who sell hacking tools to law enforcement groups around the world. Mandiant documented commercial vendors using three zero-days in 2022, but companies such as NSO Group and Candiru, with large resources for exploit research and acquisition, may be sitting on a larger trove of zero-days.
A myopic focus on zero-day vulnerabilities — as the quintessential apex hacking activity — also risks distracting from what are arguably more consequential vulnerabilities. While these vulnerabilities can give broad access to victim systems, so-called n-day vulnerabilities — which refers to the number of days “n” from which a vulnerability has been revealed and might be remediated — make up a greater portion of the exploits observed, Sadowski said. Of the ransomware incidents that Mandiant responded to in 2022, for example, more than 50% relied on n-day vulnerabilities for initial access.
“The speed at which either state actors or financially motivated groups turn around newly disclosed vulnerabilities continues to be a major threat for organizations across the globe,” Sadowski said.