According to a recent study conducted by Google, 2022 saw a significant increase in the number of actively exploited zero-day vulnerabilities. In fact, with a total of 41 disclosed zero-day bugs, it was the second-highest recorded year since 2014. While this represents a decrease from the 69 zero-day vulnerabilities disclosed in 2021, the report highlights an alarming trend of attackers leveraging variants of previously reported vulnerabilities.
The study found that in 2020, 25% of actively exploited zero-days were connected to previously disclosed vulnerabilities. This number increased to over 40% in 2022, with 17 out of the 41 zero-day vulnerabilities being identified as variants of previously reported flaws. More than 20% of these flaws were variants of zero-days from 2021 and 2020.
Google’s security researcher, Maddie Stone, emphasized that two key factors contributed to the higher number of in-the-wild zero-days in 2022: vendor transparency and variants. While the continued efforts of vendors to improve detection and transparency are commendable, the significant percentage of variants being used in the wild as zero-days is concerning.
Insufficient vendor patching appears to be part of the problem. Stone explains that vulnerabilities are often fixed in a limited way, allowing for the emergence of variants. According to Google’s blog post, the company considers a patch complete only when it no longer allows any exploitation of the vulnerability. However, many vendors only block the specific path shown in the proof-of-concept or exploit sample, rather than addressing the vulnerability as a whole. Similarly, security researchers often fail to follow up on how the patch works and explore related attacks.
One example of this occurred in December of the previous year when CrowdStrike discovered that Play ransomware actors had bypassed previous Microsoft ProxyNotShell mitigation to gain Exchange server access. By eliminating the need to use the Autodiscover endpoint, the attackers were able to leverage a zero-day vulnerability and achieve remote code execution.
CVE-2022-41082 was one of the 17 zero-day vulnerabilities listed in Google’s blog that turned into variants. Another notable variant was CVE-2022-30190, a Microsoft Windows zero-day vulnerability known as “Follina,” which received criticism from Tenable regarding disclosure transparency.
While the prevalence of variants is a cause for concern, Stone also highlights the potential positive aspect of variant research. Eliminating the attack vector could help reduce the overall threat landscape. If more vulnerabilities are patched correctly and comprehensively, it becomes harder for attackers to exploit zero-days.
The Google blog post also touched on other findings related to zero-days. For Android users, the study revealed that known vulnerabilities or “n-days” essentially equated to zero-days due to a lack of timely patching. Attackers target known flaws that haven’t been patched, taking advantage of unpatched devices.
On the other hand, there was some good news regarding browser security. New browser mitigations contributed to a decrease in zero-day vulnerabilities affecting browsers. Additionally, many attackers have shifted towards zero-click exploits that target components other than the browser.
The study also highlighted an increase in vulnerability sharing in 2022. There were more frequent reports of separate attackers using the same vulnerabilities, and bugs reported by security researchers were later discovered to be exploited by attackers.
While the figures presented in the year-in-review report do not necessarily indicate an increase or decrease in the overall security landscape, they serve as valuable data for analyzing contributing factors, addressing challenges, and determining what led to successes. According to Stone, the industry’s response to reported vulnerabilities is an area that requires attention, with recommendations including timely fixes and mitigations, detailed root cause analyses, sharing technical details, and capitalizing on reported vulnerabilities to enhance understanding.
A separate report released by Mandiant analysts in March 2023 aligns with Google’s findings, showcasing similar trends in zero-day exploitation. Although Mandiant tracked a higher total of 55 zero-day vulnerabilities exploited in 2022, it still represents nearly double the number from 2020. It’s worth noting that Mandiant is now part of Google Cloud, with the acquisition completed in September 2022.
In conclusion, the increase in actively exploited zero-day vulnerabilities in 2022 is a cause for concern. While the number of disclosed zero-days decreased compared to the previous year, the rise in variants of previously reported vulnerabilities is alarming. Insufficient vendor patching and limited fixes contribute to the emergence of these variants. However, efforts to improve vendor transparency and comprehensive patching can help make it harder for attackers to exploit zero-days. Timely fixes, detailed analyses, and information sharing are key to addressing these vulnerabilities and enhancing overall security.