75 Zero-Days Exploited in the Wild in 2024, Spyware Remains Common

Each year the Google Threat Intelligence Group (GTIG) publishes a study of documented zero-days in the prior year, and some trendlines that began in the 2020s continue to develop.

2024 saw 75 zero-days exploited in the wild, continuing a pattern of individual years in this decade sometimes seeing spikes or drops but overall numbers being much higher than were seen in 2020 and before. Spyware is also the main motivator of exploitation, with it being present in a good deal of these cases; this comes down to a mix of the “usual suspect” aggressive APT actors and the sale of commercial spyware to other, usually more friendly governments.

State-sponsored groups continue to drive spyware deployment

When it comes to zero-days and spyware, China and North Korea’s hacking teams head up the leaderboard with five 2024 incidents each. Russia had three, and South Korea one; another three were likely the work of APT groups but a specific nation was not pinned down.

The next-biggest player in this market is the loose collection of commercial spyware vendors, the most prominent of which claim to only sell their tools to legitimate democratic governments for legitimate law enforcement purposes. Eight incidents involved zero-days linked to a commercial surveillance vendor (CSV) of some sort. In total 34 of the 75 incidents involved spyware, with the remaining instances involving either a private financially-motivated group or a group that has not been clearly identified or had its motivations clearly established.

Another continuing trend in zero-days is that most are found in the products of big tech firms: 26 for Microsoft, 11 for Google and five for Apple in 2024. However, there is one noteworthy new development in this area: smaller firm Ivanti, which was actually third on this list of companies with seven zero-days on the year.

Google research projects that exploitation of zero-days will rise

The total of exploited zero-days is down from 98 in 2023, which reflects some year to year changes since the decade began. But even at the lowest points, zero-days have been sharply up since the pre-2020 years when they topped out at about 20 per year. The more recent peaks and valleys are likely explained by ongoing cat-and-mouse developments between the attackers and the defenders; for example, the current report notes that vendors made a concerted effort to improve their defenses.

For organizations, the key theme of this year’s report is the increasing focus by attackers on unprotected enterprise technologies. These incidents are now up to 44% of those documented, with attackers most commonly keying in on security and networking vulnerabilities. The researchers point out that while the likes of Google, Microsoft and Apple can handle being heavily targeted for zero-days and spyware, it can be a catastrophe for firms closer to the size of Ivanti. And this comes as the researchers foresee a general increase in exploitations in the wild in the coming years.