Researchers at Google’s Project Zero said they tracked 58 cases of zero-day exploits “in the wild” in 2021 — the most ever detected and disclosed in a single year since the group began its work in mid-2014.
The 2021 total is more than double the previous maximum, 28, tracked in 2015. And it’s “especially stark when you consider that there were only 25 detected in 2020,” Maddie Stone, a security researcher with Project Zero, wrote in findings posted to the group’s website Tuesday.
New software bugs are discovered, publicly disclosed and patched all the time, often before malicious hackers can take advantage of them. Project Zero is primarily concerned, however, with the vulnerabilities that attackers discover and exploit first — the ones that software companies have had “zero days” to patch.
The good news about the 2021 total, according to Stone, is that the increased number is likely due to the increased detection and disclosure of zero-day exploits, rather than the increased usage of them.
The bad news, however, is that “attacker methodology hasn’t actually had to change much from previous years,” Stone wrote. “Attackers are having success using the same bug patterns and exploitation techniques and going after the same attack surfaces.”
Project Zero publishes its overall findings to a public spreadsheet. The group also notifies vendors of the bugs ahead of publication, giving them time to issue patches or updates to address the security concerns. Its stated mission is to “make 0-day hard,” and Stone notes that “0-day will be harder when, overall, attackers are not able to use public methods and techniques for developing their 0-day exploits.”
The vulnerabilities cataloged by the Project Zero team represent only those that have been detected and disclosed — either by vendors or independent researchers — “so we’ll never know exactly what proportion of 0-days are currently being found and disclosed publicly,” according to Stone.
Zero-day exploits can be quite damaging and have been at the root of some of the cybersecurity’s most important and troubling developments over the years. In September of last year, for instance, researchers with Citizen Lab, a Toronto-based group focused on human rights and digital forensics, published findings outlining an exploit that had been purchased from Israeli spyware firm NSO Group and built in the software that it sells to governments — some of which used the product to target journalists and activists.
Project Zero researchers said in December that the NSO Group spyware — dubbed “FORCEDENTRY” by the original Citizen Lab researchers who found it — was “one of the most technically sophisticated exploits” they’d ever seen, rivaling “those previously thought to be accessible to only a handful of nation states.”
Stone wrote Tuesday that the FORCEDENTRY zero-day was one of just two of the 58 detected and disclosed in 2021 that “stood out as novel.” The rest were similar to “previous & publicly known vulnerabilities.”
This dynamic represents a “clear area of opportunity for the tech industry,” Stone wrote, in that the majority of the vulnerabilities being caught can be relatively more simple to address by vendors since they rely on previously-documented issues.
For 2022, Stone said the Project Zero team is hoping that more vendors agree to disclosed the in-the-wild exploitation status of vulnerabilities in their security bulletins, and also that exploit samples or detailed technical descriptions of the exploits are shared more widely.
More vendors are detecting and publicly reporting zero-days effecting their own products, Stone wrote. Google, for instance, discovered seven, while Microsoft discovered 10.
On a more technical level, the team is hoping researchers and security professionals focus on reducing memory corruption vulnerabilities or rendering them unexploitable. Those bugs typically involve a piece of software unintentionally using computer memory in a way that causes unusual behavior or crashes.