Previously unknown “zero-day” software vulnerabilities are mysterious and intriguing as a concept. But they’re even more noteworthy when hackers are spotted actively exploiting the novel software flaws in the wild before anyone else knows about them. As researchers have expanded their focus to detect and study more of this exploitation, they’re seeing it more often. Two reports this week from the threat intelligence firm Mandiant and Google’s bug hunting team, Project Zero, aim to give insight into the question of exactly how much zero-day exploitation has grown in recent years.
Mandiant and Project Zero each have a different scope for the types of zero-days they track. Project Zero, for example, doesn’t currently focus on analyzing flaws in Internet-of-things devices that are exploited in the wild. As a result, the absolute numbers in the two reports aren’t directly comparable, but both teams tracked a record high number of exploited zero-days in 2021. Mandiant tracked 80 last year compared to 30 in 2020, and Project Zero tracked 58 in 2021 compared to 25 the year before. The key question for both teams, though, is how to contextualize their findings, given that no one can see the full scale of this clandestine activity.
“We started seeing a spike early in 2021, and a lot of the questions I was getting all through the year were, ‘What the heck is going on?!’” says Maddie Stone, a security researcher at Project Zero. “My first reaction was, ‘Oh my goodness, there’s so much.’ But when I took a step back and looked at it in the context of previous years, to see such a big jump, that growth actually more likely is due to increased detection, transparency, and public knowledge about zero-days.”
Before a software vulnerability is publicly disclosed, it’s called a “zero-day,” because there have been zero days in which the software maker could have developed and released a patch and zero days for defenders to start monitoring the vulnerability. In turn, the hacking tools that attackers use to take advantage of such vulnerabilities are known as zero-day exploits. Once a bug is publicly known, a fix may not be released immediately (or ever), but attackers are on notice that their activity could be detected or the hole could be plugged at any time. As a result, zero-days are highly coveted, and they are big business for both criminals and, particularly, government-backed hackers who want to conduct both mass campaigns and tailored, individual targeting.
Zero-day vulnerabilities and exploits are typically thought of as uncommon and rarified hacking tools, but governments have been repeatedly shown to stockpile zero-days, and increased detection has revealed just how often attackers deploy them. Over the past three years, tech giants like Microsoft, Google, and Apple have started to normalize the practice of noting when they’re disclosing and fixing a vulnerability that was exploited before the patch release.
While awareness and detection efforts have increased, James Sadowski, a researcher at Mandiant, emphasizes that he does see evidence of a shift in the landscape.
“There are definitely more zero-days being used than ever before,” he says. “The overall count last year for 2021 shot up, and there are probably a couple of factors that contributed, including the industry’s ability to detect this. But there’s also been a proliferation of these capabilities since 2012,” the year that Mandiant’s report looks back to. “There’s been a significant expansion in volume as well as the variety of groups exploiting zero-days,” he says.
If zero-days were once the domain of elite government-backed hacking groups, they have been democratized, Sadowski says. Financially motivated digital-crime groups, some of which employ highly skilled hackers, have now been spotted using zero-days as well, at times for both traditional finance scams and other attacks like ransomware. And the rise of so-called “exploit brokers,” an industry that sells information about zero-days and, typically, a corresponding exploit, have enabled anyone with enough money to wield zero-days for their own purposes.
For all types of actors, a lot of bread-and-butter hacking still involves exploiting vulnerabilities that became public long ago but haven’t been patched consistently. Zero-days are still less common. But by tracking which zero-days have already been actively exploited, defenders can prioritize deploying certain patches and mitigations in the endless stream of updates that need to be done.
Project Zero’s Stone also emphasizes that while it’s difficult to get a full sense of scale and context about exploited zero-days, studying those that have been detected helps shed light on how software developers and cybersecurity practitioners can do a better job securing products in the future. Her research showed, for example, that many of the zero-days that were exploited in the wild in 2021 “weren’t all that special,” as she puts it. This means that when companies patch a vulnerability or write new code, they could be doing a better job hunting for known classes of vulnerabilities and cutting off classic attack routes so there are fewer easy bugs for attackers to find and exploit.
“When we look at all these vulnerabilities, they look a lot like previous vulnerabilities that people have seen before and that are publicly discussed in research,” Stone says. “And that’s not what we want. We want attackers to have to come up with a brand-new vulnerability, all new things from the beginning to the end, rather than being able to look at code patterns or copy and paste. The hope is to continue raising that bar.”
While the security industry scrambles to figure out how to make that happen, attackers are creating more incidents to analyze all the time in 2022.
This story originally appeared on wired.com.