Mandiant said that its intelligence division has documented a surge in verified zero-day exploits over the course of the last year, with 2021 accounting for 40% of zero-day attacks undertaken in the last decade.
A zero-day vulnerability is a flaw in software or hardware which threat actors identify and exploit. Attackers then release malware before a developer can create a patch to address the vulnerability.
Mandiant Intelligence on Thursday identified 80 zero-days exploited “in the wild” — that is, in active use — in 2021, more than double the previous record volume set in 2019. Mandiant said it analyzed more than 200 zero-day vulnerabilities from 2012 to 2021.
Other organizations also have reported a sharp uptick in zero-day exploits in the past year. Researchers at Google’s Project Zero said Tuesday that they tracked 58 cases of zero-day exploits in the wild last year. Google said the number is largest they’ve found in a single year since Project Zero launched in mid-2014, attributing the figure in part to better detection.
Last year’s total from Project Zero is more than double the previous maximum of 28 in 2015. Only 25 such attacks were reported by Project Zero in 2020.
Mandiant Intelligence said that Chinese state-sponsored groups are the leading drivers of attacks exploiting zero-day vulnerabilities, but many other state-sponsored groups are also involved. Close to a third of identified threat actors in 2021 were motivated by financial gain, Mandiant said.
Factors fueling the sharp uptick in zero-day exploits include the increased number of organizations using cloud hosting, as well as a surge in mobile and Internet of Things technologies, according to the company. These technologies are increasing the volume and complexity of systems and devices connected to the internet, helping to open the door to more exploits, Mandiant said.
Organizations can protect themselves by closely monitoring threat groups’ recent zero-day attacks, Mandiant Intelligence said in a blog post disclosing their findings.
“While zero-day exploitation is expanding, malicious actors also continue to leverage known vulnerabilities, often soon after they have been disclosed,” the blog post said. “Therefore, security may be improved by continuing to incorporate lessons from past targeting and an understanding of the standard window between disclosure and exploitation.”