According to research by Mandiant, during 2022 zero-day vulnerabilities were declining, but they have shown that they have evolved and expanded compared to the previous year. The new research offers a comprehensive overview and analysis of the zero-days identified throughout 2022. They have been identified 55 zero-day vulnerabilities exploited in 2022, down from 2021, a record year that saw 81 zero-days identified.
An ever-changing landscape
While the figure is down from 2021, Mandiant researchers point out that it’s still a 200% increase from 2020 (and still higher than all previous years). They also predict that zero-day exploitation will continue to increase in the long run. In 2021 Mandiant had foreseen that zero-day vulnerabilities would continue to be exploited at a significantly higher rate than in the years 2010 to 2019. And the 55 zero-days identified during 2022 confirm this trend.
The reason for the decrease
Several factors may have contributed to the decrease in the number of zero-days in 2020, and then quadrupled in 2021. The disruptions due to the pandemic in 2020 had different effects. These include a slowdown in the vulnerability reporting and disclosure mechanisms of several software vendors. Also, at the same time, they reduced the defenders’ ability to detect the activities of exploiting the vulnerabilities themselves. This may have encouraged attackers to save new exploits for other occasions. Additionally, Apple and Android disclosures in 2021 included more disclosures about exploiting vulnerabilities.
Zero-day vulnerability
Mandiant expects the long-term trend for zero-day exploitation to continue to increase, with some fluctuations from year to year. Attackers are looking for stealth and ease of exploitation. Both characteristics that zero-days can provide. Although the discovery of zero-day vulnerabilities requires a lot resources and successful exploitation is not guaranteed, the total number of disclosed and exploited vulnerabilities has continued to grow. Furthermore, the types of software targeted, including Internet of Things (IoT) devices and cloud solutions, continue to evolve and the variety of actors exploiting them has significantly expanded.
The main insights of the research
- 55 zero-day vulnerabilities exploited in 2022.
- Of these, 13 zero-days were exploited by cyberespionage groups. Chinese cyber espionage groups have exploited more zero-days than other groups during 2022. A figure in line with previous years. More than half of the zero-days (7 out of 13) are linked to known cyber-espionage groups and have been attributed to China.
- 2 zero-day vulnerabilities were exploited by alleged North Korean groups.
- 2 zero-day vulnerabilities were exploited by Russian state-sponsored actors.
- 4 zero-day vulnerabilities were exploited by financially motivated attackers.
- 3 of these 4 appear to be related to ransomware operations.
- 10 zero-day vulnerabilities, nearly 20% of all zero-days identified by Mandiant in 2022, affected security, IT and network management products.
Illegal access
Attackers, especially those seeking to remain undetected, prefer to target security, network and IT management or “edge infrastructure” products. And that’s because they’re connected to the internet and often don’t host E/XDR or sensing solutions. Thus reducing the likelihood that defenders will identify abusive logins.
Zero-day vulnerabilities, fewer but more advanced
Mandiant predicts that attackers will continue to discover and exploit zero-days, as these vulnerabilities offer tactical advantages due to their successful exploitation rates. In addition to being undetected. Mandiant, however, says a broader migration to cloud products could alter anticipated trends due to different approaches to patching and vulnerability disclosure. Cloud vendors can create patches and distribute them on behalf of customers. This significantly reduces patch times and therefore the risks of exploitation following the disclosure of vulnerabilities. However, many cloud vendors have historically chosen not to disclose publicly the vulnerabilities of cloud products with the same approach as other types of products. This may affect the count of zero-day disclosures.
How to reduce the risks
As the vendors and products targeted by zero-days continue to diversify, companies must prioritize patches based on their specific circumstances. Priorities that serve to sufficiently reduce the risk. In addition to risk classifications, Mandiant suggests organizations analyze:
- What types of attackers are targeting their specific geographic area or industry.
- The malware, the tactics, techniques and procedures used by the attackers.
- The products in use by an organization that provide the largest attack surface.
In 2022 minus zero-day vulnerabilities
Given that Microsoft, Google and Apple continue to be the most impacted vendors and that their presence is widespread, the correct configuration of these products is essential, as well as the adoption of best practices such as network segmentation and access privilege restriction . However, while exploiting vulnerabilities involving these three software vendors, security teams still need to assess the risks posed by other software vendors and remain vigilant across the entire attack surface.