The Mandiant Threat Intelligence team and Google's Project Zero security team identified a significant jump last year in security vulnerabilities that threat actors exploited before a patch became available. Mandiant recorded 80 security vulnerabilities in the previous year, while Google identified 58 zero-days exploited in the wild before being patched.
Mandiant found that the proportion of financially motivated actors — particularly ransomware groups — deploying zero-day exploits also grew significantly, and nearly 1 in 3 identified actors exploiting zero-days in 2021 was financially motivated.
The vast increase in zero-day exploitation and the diversification of actors using them expand the risk portfolio for organizations in nearly every industry sector and geography, particularly those that rely on these popular systems.
Google believes the number of detected in-the-wild zero-days has increased due to more transparency and disclosure of the vulnerabilities, enhanced security protocols by organizations, and better detection and defense capabilities from vendors. Microsoft, Google and Adobe, for instance, have been annotating security bulletins for transparency for several years now.
Mandiant believes several factors are contributing to the growth of zero-days exploited, such as:
- The continued move toward cloud hosting, mobile, and Internet-of-Things (IoT) technologies increases the volume and complexity of systems and devices connected to the internet — more software leads to more software flaws.
- The expansion of the exploit broker marketplace also likely contributes to this growth, with more resources being shifted toward research and development of zero-days, both by private companies and researchers, as well as threat groups.
It's highly likely that other zero-days were exploited in the wild and detected, but not reported by vendors. In 2022, vendors should aim to continue to improve transparency with disclosures and security advisories, and organizations and their security teams should continue to enhance security protocols for better risk management.
Security teams should also be implementing modern tools that look for common vulnerabilities and exposures (CVEs) to find weaknesses in software and get ahead of zero-day security vulnerabilities, says Scott Gerlach, Co-Founder and Chief Security Officer at StackHawk. "Security teams and their organizations need to react quickly and efficiently when new zero-day issues are discovered. The most efficient way to ensure your third-party libraries are protected from zero-days is to use modern tools that look for CVEs during development."
While penetration tests are a great way to reduce risk, they can be inefficient for understanding if organizations are using a library that a zero-day vulnerability has compromised, or if there are vulnerabilities written into the proprietary code.
Testing for vulnerabilities during the development process can help find security issues in third-party libraries and proprietary code faster and enable developers to fix them immediately. "By rapidly fixing newly-discovered zero-day issues, organizations can better protect themselves from risk," Gerlach adds.