Why more zero-day vulnerabilities are being found in the wild

The number of zero-days exploited in the wild has been high over the past year and a half, with different kinds of actors using them. These vulnerabilities, which are unknown to the software maker, are leveraged by both state-sponsored groups and ransomware gangs.

During the first half of this year, Google Project Zero counted almost 20 zero-days, most of which target products built by Microsoft, Apple and Google, with browsers and operating systems taking up large chunks. 

In addition, a critical remote code execution vulnerability was found in Atlassian's Confluence Server, which continues to be exploited. But in 2021, the number of in-the-wild zero-days was even higher. Project Zero found 58 vulnerabilities, while Mandiant detected 80 - -more than double compared to 2020.

"Every zero-day we identify increases our understanding of what is possible and better enables us to find similar vulnerabilities in the same or other pieces of technology," says James Sadowski, principal analyst at Mandiant. "The more we see, the more we can detect."

Nation-state groups continue to lead the exploits game, but cyber criminals are catching up. About one in three actors using zero-days last year was financially motivated, according to Mandiant.

The rise in zero-day exploits and the various types of actors using them can be a cause of concern for organisations regardless of their size. On the flip side, it can also provide valuable learning opportunities for the security industry.

Most zero-days follow old patterns

Although the number of zero-days is at record levels, in reality it could be even bigger. "Since attackers don't share all their zero-days with us, the best number we can track is the zero-days detected and disclosed as in-the-wild, rather than the number that are used," Maddie Stone, security researcher at Google Project Zero, says.

In the first half of 2022, the most targeted products were Windows, iOS/macOS, Chrome and Firefox, according to the public spreadsheet maintained by Project Zero. 

Last year, of the 58 in-the-wild zero-days the group discovered, 14 targeted the Chrome browser: ten were renderer remote code execution bugs, two were sandbox escapes, one was an info leak, and another was used to open a webpage in Android apps. 

Others exploited flaws in Internet Explorer, Windows, iOS, Android and Microsoft Exchange Server. According to Project Zero, last year, there were no known in-the-wild zero-days that targeted the cloud.

"Threat actors [will] likely continue to focus on zero-day exploitation in on-premises environments because they are more familiar, and for now, still widely used," Sadowski says. "Alternatively, the growth in zero-day exploitation of technologies like VPNs may provide threat actors a successful path into corporate networks without exploiting cloud providers directly."

Most zero-days followed the same bug patterns seen in previous years. Security researchers say that malicious actors will continue to use old techniques as long as they remain effective. 

For example, two-thirds of the zero-days found by Project Zero were memory corruption vulnerabilities, with the majority of these falling into popular bug classes such as use-after-free, out-of-bounds read/write, buffer overflow, and integer overflow.

While malware authors may prefer to use the same patterns, it's also possible that the security community is simply "not as frequently detecting more novel techniques," as Sadowski puts it. Stone agrees. "Detecting zero-days is extremely hard because you have to detect something when you don't know what it is or what it looks like."

Why we've seen more zero-day exploits

Security researchers have multiple theories on why they've caught so many zero-days in the past year and a half. Most likely, though, it's a combination of factors. 

"Growing financially motivated zero-day exploitation, a resurgence of espionage zero-day exploitation, and the expansion of third-party exploit brokers were observed at an intensity in 2021 we had never detected previously," Sadowski says.

Software has also grown in scope and complexity. "The attack surface is larger than it has ever been, so it's a fertile ground for finding and abusing vulnerabilities," says Dustin Childs, communications manager for Trend Micro's Zero Day Initiative, the largest vendor-agnostic bug bounty program. Lagging detections in 2020 due to the effects of the pandemic may have also contributed to the spike observed in 2021.

There's more to that. Researchers attributed part of the growth to an improvement in detection and disclosure. "2021 was the first full year that Apple and Android publicly disclosed what vulnerabilities were known to be in-the-wild, which contributed to at least 12 total vulnerabilities that the industry wouldn't have known about otherwise," Stone says. 

She recommends all vendors notify the security community when they patch a vulnerability that has been exploited. Had Apple and Android not done that, many zero-days--reported anonymously--would have been unknown to the world because there were no researchers to talk about them.

State-sponsored groups take the lead

Most zero-day exploits are used by nation-state actors, with Chinese groups being the most active. "From 2012 to 2021, China exploited more zero-days than any other nation," according to Mandiant. Last year, the security company found at least eight zero-days linked to China, as opposed to two exploited by Russia and one by North Korea.

Multiple Chinese espionage activity clusters leveraged four Exchange Server vulnerabilities known as ProxyLogon. Microsoft linked these vulnerabilities to the Hafnium group "with high confidence" based on tactics and procedures.

"While some of the threat clusters involved appeared to carefully select targets, other clusters compromised tens of thousands of servers in virtually every vertical and region," Mandiant's report reads. "Chinese cyber espionage operations in 2020 and 2021 suggest that Beijing is no longer deterred by formal government statements and indictments from victimised countries."

As for Russia-sponsored groups, Mandiant saw fewer zero-days compared to previous years. APT28 (a.k.a. Fancy Bear, Sofacy or Strontium), for instance, was only seen leveraging a zero-day in Microsoft Excel toward the end of 2021. 

However, other Russian state-sponsored actors exploited several zero-days in 2020 and 2021, with Energetic Bear (Dragonfly 2.0, Berserk, TEMP.Isotope) possibly targeting critical infrastructure networks with a zero-day in a Sophos firewall product.

Ransomware groups are sources of zero-days

Although zero-days tend to be the territory of state-sponsored groups, researchers noticed that cyber criminals are getting better at using such tools. Mandiant saw a significant increase in both the volume and sophistication of exploits used by ransomware groups.

There are several reasons for that. First, gangs are becoming more prosperous, which means that they can afford to recruit highly skilled individuals or pay for expensive services. Second, the professional networks in the ransomware world have expanded.

Among the multiple ransomware groups that used zero-days is UNC2447 SombRAT, which exploited a bug in SonicWall. It was a critical SQL injection vulnerability that would allow attackers to gain access to usernames, passwords and session information they could use to log into an unpatched SMA 100 series device.

In addition to zero-days, criminal gangs also leverage vulnerabilities that have been recently discovered but don't have a patch yet. Sometimes, a researcher who has found a vulnerability releases a proof of concept (PoC) out of frustration or to put pressure on the vendor, which creates a window of time for attackers.

Such things may continue to happen in the future because cyber criminal gangs pay attention to everything happening in the security world. "Malicious actors likely learn from public disclosures and analysis of previous zero-days and may use that research to drive their own vulnerability analysis and exploitation," Sadowski says.

Zero-days are becoming more expensive

It's not just the volume of zero-days that has increased in the past year and a half. The price offered to those who find such bugs has also gone up on the gray and black markets. 

At the moment, acquisition platform Zerodium, which sells exploits to governments, pays up to $2 million for persistent iOS jailbreaks that could be performed remotely, without any interaction from the user, and $2.5 million for the same type of exploit working on Android. 

"Zero-click exploits are in higher demand than one-click exploits because zero-click means that it doesn't require user interaction to work," says Stone.

Other zero-days are less expensive. For example, flaws in WhatsApp and iMessage are rewarded with up to $1,5 million, and those in Facebook Messenger, Signal and Telegram can bring a researcher willing to sell them on the gray market up to $500,000. 

Meanwhile, Chrome vulnerabilities are priced at up to $500,000, while Safari, Edge and Firefox bugs go as high as $100,000.

The Zero Day Initiative does offer this much, but it operates on the white market, being an intermediary between white-hat hackers and the companies they can exploit. Childs says many things are taken into account when setting up a price, such as "demand, efficacy and stability." 

For instance, if the attack vector does not require authentication or user interaction, that exploit will cost more. "Stability also plays a big factor," he says. "Is the exploit 100% reliable, or does it sometimes fail?"

The number of users a particular piece of software has also plays a role, according to Childs--the bigger the pool of potential victims, the more generous the fee. "The exploit marketplace behaves like any other marketplace. There are always different factors driving costs up and down," Childs says.

Improving protection against zero-days

With state-sponsored hackers and cyber criminals leveraging zero-days at a high rate, organisations have plenty of reasons to improve protection. Although these bugs are placed in the realm of the unknown, security teams can still reduce the risk of being compromised.

A key component of protection is patching, which should be done quickly, particularly in the case of public and widely used assets. If not, the organisation can be exposed. 

One example:  Atlassian has released a security patch that addresses the critical Confluence Server bug, but not every organisation was able to install the fix quickly enough. 

Sophos observed multiple groups that leveraged this vulnerability to drop the Cerber ransomware, Mirai bot variants, or the z0miner cryptominer. It helps if organisations have an up-to-date list of all their software and hardware assets, with the date of purchase and the expected end-of-life date included.

Security researchers also recommend that organisations properly configure their networks to make it harder for attackers to jump from one place to another. Security experts should also look for any suspicious behavior and ensure that their staff and their partners are practicing good security.

Software vendors can help, too. It's essential they get security patches right, says Childs, because once a patch is issued, malicious actors will try to reverse engineer it to find the exact vulnerability it tried to fix. 

"Bugs are hard to find – until a vendor releases a patch and tells you where they are," Childs says. "N-day exploits, exploits that have been known for n-number of days, have always been more popular for threat actors over zero-days."

Project Zero's Stone suggested some organisations might slightly change how they work. "It's industry standard to patch vulnerabilities, but it's not as common to mitigate each exploit technique," she says. "Doing this could force attackers to develop novel exploit techniques each time they want to develop a zero-day."