Zero-Day Exploits Still a Major Threat Google Spots 75 in the Wild This Year
Google's security researchers have uncovered 75 zero-day vulnerabilities actively exploited by attackers so far in 2024. While this represents a decrease from the 98 zero-days observed in 2023, the ongoing threat posed by these previously unknown flaws remains significant.
Good news, everyone! Google's been keeping a close eye on zero-day exploits, and their latest report shows a slight dip. They spotted 75 zero-day vulnerabilities being actively exploited in the wild during 2024. That's down from 98 in 2023, so progress is being made!
But here's the catch: a whopping 44% of those zero-days were aimed at enterprise products. And get this – 20 of those sneaky flaws were found lurking in security software and appliances themselves. Ouch.
According to the Google Threat Intelligence Group (GTIG), the decrease in browser and mobile device exploits is a welcome trend. "Zero-day exploitation of browsers and mobile devices fell drastically," they said in their report. Browser exploits decreased by about a third, and mobile device exploits by about half, compared to last year.
However, they also noted something interesting: "Exploit chains made up of multiple zero-day vulnerabilities continue to be almost exclusively (~90%) used to target mobile devices." So, when attackers go after phones, they often bring a whole arsenal of exploits.
Which Software Was Targeted?
Microsoft Windows took the biggest hit, with 22 zero-day flaws exploited. Apple's Safari had three, iOS had two, Android had seven, Chrome also had seven, and Mozilla Firefox had one. Three of the Android vulnerabilities were hiding in third-party components, highlighting the risks of relying on external code.
As for enterprise software and appliances, a scary 20 out of 33 exploited zero-days were found in security and network products from vendors like Ivanti, Palo Alto Networks, and Cisco.
Why Security Products?
GTIG researchers explained why these are prime targets: "Security and network tools and devices are designed to connect widespread systems and devices with high permissions required to manage the products and their services, making them highly valuable targets for threat actors seeking efficient access into enterprise networks." Makes sense, right? If you can compromise the security tools, you can get access to pretty much everything.
In total, 18 different enterprise vendors were targeted in 2024, compared to 12 in 2021, 17 in 2022, and 22 in 2023. The most heavily targeted companies were Microsoft (26), Google (11), Ivanti (7), and Apple (5).
Who's Behind These Attacks?
Google has attributed the exploitation of 34 of the 75 flaws to six main groups:
- State-sponsored espionage (10), particularly from China (5), Russia (1), and South Korea (1) (e.g., CVE-2023-46805, CVE-2024-21887)
- Commercial surveillance vendors (8) (e.g., CVE-2024-53104, CVE-2024-32896, CVE-2024-29745, CVE-2024-29748)
- Non-state financially motivated groups (5) (e.g., CVE-2024-55956)
- State-sponsored espionage and financially motivated groups (5), all from North Korea (e.g., CVE-2024-21338, CVE-2024-38178)
- Non-state financially motivated groups also conducting espionage (2), all from Russia (e.g. CVE-2024-9680, CVE-2024-49039)
Specific Examples of Zero-Day Exploits
Google highlighted a case from November 2024 where a malicious JavaScript injection was found on the website of the Diplomatic Academy of Ukraine (online.da.mfa.gov[.]ua). This injection triggered an exploit for CVE-2024-44308, leading to arbitrary code execution. Nasty!
This was then combined with CVE-2024-44309, a cookie management vulnerability in WebKit, to launch a cross-site scripting (XSS) attack and steal user cookies, allowing unauthorized access to login.microsoftonline[.]com.
They also discovered an exploit chain targeting Firefox and Tor browsers, using CVE-2024-9680 and CVE-2024-49039 to break out of the Firefox sandbox and execute malicious code. This paved the way for the deployment of RomCom RAT, a remote access trojan.
This RomCom activity, previously reported by ESET, is linked to a group called RomCom (also known as Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, and Void Rabisu). Google is tracking them under the name CIGAR.
These same flaws were also used by another hacking group, likely motivated by financial gain, who compromised a legitimate cryptocurrency news website and used it as a watering hole to redirect visitors to a domain hosting the exploit chain.
The Bottom Line
"Zero-day exploitation continues to grow at a slow but steady pace," said Casey Charrier, Senior Analyst at GTIG. "However, we've also started seeing vendors' work to mitigate zero-day exploitation start to pay off."
He pointed out that fewer zero-days are targeting historically popular products, likely due to increased security investments by large vendors.
However, the shift towards targeting enterprise products means a wider range of vendors need to ramp up their proactive security measures. "The future of zero-day exploitation will ultimately be dictated by vendors' decisions and ability to counter threat actors' objectives and pursuits." So, the ball's in their court.
