Annual studies from both Google and Mandiant that track zero-day vulnerabilities have each found that the amount recorded more than doubled from 2020 to 2021. While that might be unsurprising given the general surge in cyber crime since the beginning of the pandemic, both companies see reason to believe that better detection and documentation is actually revealing more of the normal scope of these attacks for the first time.
More “normal” count of zero-day vulnerabilities as industry-wide detection improves
Google’s findings, published as part of their annual “Project Zero” study dating back to 2014, had the number of zero-day vulnerabilities rising from 25 to 58 in 2021. Mandiant’s own report saw an even larger increase, from 30 to 80. In both cases, this also broke all-time records since these studies began.
Collectively, the three companies that almost totally dominate the operating system space had over 75% of the zero-day vulnerabilities in their software: Google, Microsoft and Apple. Google had seven in Android, Apple saw 13 between iOS and Safari Webkit (with one additional in iMessage), and Microsoft had 19 between Windows, Microsoft Exchange Server and Internet Explorer.
Zero-day vulnerabilities are most prized by nation-state threat groups, who are known to pay top dollar to brokers and to sit on many of them for months until they can be used in an opportune way. Mandiant finds that they are the leading users of zero-days, with China the quickest by far to deploy them (10 incidents in 2021, followed by one recorded incident each from Russian and North Korean APT groups). This number does not seem to incorporate the widespread use of the Pegasus spyware, however, which is continuing to be uncovered.
Project Zero saw a direct link between this seemingly sudden rise in zero-day vulnerabilities and strong industry efforts to scan for and detect them, and to share information once they are detected. The Google researchers said that 2021 was an unprecedented year for public information about zero-days, and this paired with the “unremarkable” nature of the vast majority of those discovered indicates that researchers are just now starting to get a full picture of what can be expected in this threat area in a “normal” year.
Publishers, vendors called on to do more
Across the technology industry, involved parties have been doing a lot more to combat zero-day vulnerabilities. Vendors are doing more internal scanning and detection, all organizations are issuing more reports about zero-day incidents, and more detailed information about zero-days is making its way into security advisories. Mandiant sees much of this driven by the increased adoption of cloud and IoT services during the pandemic period.
The Project Zero researchers applauded the significant improvement, but feel that there is still much more work to be done. Their report specifically called for a renewed focus on memory corruption vulnerabilities, more common disclosures of zero-day vulnerability exploits in vendor security bulletins, and broader industry sharing of information about exploits that have occurred.