2023 saw attackers increasingly focusing on the discovery and exploitation of zero-day vulnerabilities in third-party libraries (libvpx, ImagelO) and drivers (Mali GPU, Qualcomm Adreno GPU), as they can affect multiple products and effectively offer more possibilities for attack.
Another interesting conclusion from Google’s recent rundown of the 97 zero-days exploited in-the-wild in 2023 is that there’s a notable increase in targeting enterprise-specific technologies.
Number of zero-days exploited in the wild (2019-2023). Source: Google
“This observed increase in enterprise targeting was fueled mainly by exploitation of security software and appliances, including, but not limited to, Barracuda Email Security Gateway, Cisco Adaptive Security Appliance, Ivanti Endpoint Manager Mobile and Sentry, and Trend Micro Apex One,” Google TAG’s and Mandiant’s threat analysts noted.
Only 11.8 percent of zero-days in 2019 affected enterprise technologies – in 2023, that percentage reached 37.1. The shift has many vendors scrambling to respond to attacks quickly and effectively, while working on an effective patch.
Platforms have been making things harder for attackers
Conversely, commercial surveillance vendors have been keeping OS, browser and mobile device makers on the toes for years, spurring them to develop exploit mitigations that make entire categories of vulnerabilities useless for attackers.
For example, Google’s MiraclePtr has made exploitation of use-after-free bugs in the Chrome browser plummet, and iOS’s Lockdown Mode protects against many exploit chains seen in 2023.
“Both Chrome and Safari have made exploiting JavaScript Engine vulnerabilities more complex through their V8 heap sandbox and JITCage respectively. Exploits must now include bypasses for these mitigations instead of just exploiting the bug directly,” the analysts pointed out.
Who engaged in zero-day exploitation in 2023?
Commercial surveillance (aka “spyware”) vendors and APT groups involved in cyber espionage are the most prolific users of zero-day exploits.
“The People’s Republic of China (PRC) continues to lead the way for government-backed exploitation. PRC cyber espionage groups exploited 12 zero-day vulnerabilities in 2023, up from seven in 2022, more than we were able to attribute to any other state and continuing a trend we’ve observed for multiple years,” the analysts shared.
In 2023, financially motivated groups leveraged only 10 zero-days, with FIN11 (aka Lace Tempest) being the most prolific since its pivot involving the deployment of Cl0p ransomware after exploiting of zero-days in popular enterprise file sharing solutions.