Google’s Threat Analysis Group (TAG) and Mandiant teams observed 97 zero-day vulnerabilities exploited in the wild last year, a staggering 56% increase over 2022’s 62 zero-day exploits, but shy of 2021’s all-time high of 106.
In Google’s fifth annual review of zero-days exploited in the wild, researchers split the vulnerabilities into two main categories: End user platforms and products such as mobile devices, operating systems, browsers and other applications; and enterprise-focused technologies such as security software and appliances.
Based on the findings, Google saw progress in defending against zero-day vulnerability, which is a flaw that is exploited and attackers release malware before a developer has an opportunity to create a patch to fix the vulnerability.
“End-user platform vendors, such as Apple, Google, and Microsoft, have made notable investments that are having a clear impact on the types and number of zero-days actors are able to exploit,” Google researchers wrote in a blog post. “Vulnerabilities that were commonplace in years past are virtually non-existent today.”
Despite the progress, researchers also noticed a wider variety of vendors and products were targeted on the enterprise side and there is an increase in enterprise-specific technologies being exploited.
The report also found that zero-day exploits associated with financially motivated actors decreased proportionally. Of the 58 zero days, Google was able to attribute to threat actor motivation, only 10 were attributed to financial motivation, and the remaining 48 were attributed to espionage actors.
“It’s clear that the pace of zero-day discovery and exploitation will likely remain elevated when compared to pre-2021 numbers,” they wrote in the report.
Increased zero days targeting enterprises fueled by security tool exploits
Google researchers observed 36 zero-day vulnerabilities targeting enterprise-specific technologies, a 64% year-over-year spike, and a general increase in the number of enterprise vendors targeted since at least 2019.
In 2019, there were only 11.8% of observed zero-day vulnerabilities affected enterprise technologies, but this number jumped to 37.1% in 2023.
“This emphasizes multiple recent trends Mandiant has identified, with increasing diversity in the types of products that are being exploited and a decreased reliance on browser-based and document-based exploits to be successful,” the report wrote.
This increase in enterprise targeting was driven mainly by the exploitation of security software and appliances, including Barracuda Email Security Gateway, Cisco Adaptive Security Appliance, Ivanti Endpoint Manager Mobile and Sentry, Trend Micro Apex One and more, Google noted.
The teams found nine zero-day vulnerabilities affecting security software or devices last year. “Security software is a valuable target for attackers because it often runs on the edge of a network with high permissions and access. By successfully exploiting such technologies, attackers can gain an initial foothold into a targeted organization for follow-on activity,” they wrote.
Recommendations for zero-day resiliency
Google’s zero-day report offers six recommendations for organizations to address zero-day threats and improve their security posture:
- Embrace transparency and disclosure by sharing lessons, vulnerability data and patches publicly as quickly as possible.
- Prioritize defensive efforts based on risks that are most likely to cause damages.
- Build strong security fundamentals to neutralize basic attacks and force adversaries to use zero-days.
- Software and product vendors should bake responses of in-the-wild zero-day discovery targeting their product into the design phase.
- For high-risk users, leverage technologies like Lockdown mode.
- For Google Chrome high-risk users, it’s recommended to enable “HTTPS-First Mode” and disable the v8 Optimizer.
