State-sponsored hackers groups and cybercriminals continue to weaponize zero-day exploits in their cyber operations, with China-linked threat actors accounting for most of zero-day vulnerabilities exploited in 2022.

According to a new report from Mandiant, 55 zero-days were actively exploited last year, most targeting Microsoft, Google, and Apple software.

“Although this count is lower than the record-breaking 81 zero-days exploited in 2021, it still represents almost triple the number from 2020,” Mandiant notes.

A majority of zero-day flaws concerned operating systems (19), web browsers (11), network management products (10), and mobile OS (6).

Of the 55 zero-day vulnerabilities, 13 are estimated to have been abused by cyber espionage groups, four were exploited by financially motivated threat actors in ransomware operations. Commercial spyware vendors were linked to the exploitation of three zero-days.

Chinese state-sponsored groups continue to lead exploitation of zero-day vulnerabilities with seven zero-days exploited during 2022 (CVE-2022-24682, CVE-2022-1040, CVE-2022-30190, CVE-2022-26134, CVE-2022-42475, CVE-2022-27518, and CVE-2022-41328).

“Compared to the watershed year in 2021 in which Chinese state-sponsored threat groups exploited at least eight separate zero-days, Chinese exploitation slightly decreased in 2022. Three campaigns in 2022 were particularly notable due to the involvement of multiple groups, expansive targeting, and focus on enterprise networking and security devices: multiple groups exploiting CVE-2022-30190 (aka Follina) in early 2022, and the 2022 exploitation of FortiOS vulnerabilities CVE-2022-42475 and CVE-2022-41328,” the report notes.

On the other hand, North Korean and Russian state-sponsored hackers have been linked to the exploitation of two zero-days each, namely CVE-2022-0609, CVE-2022-41128, CVE-2022-30190, and CVE-2023-23397.

The researchers identified four instances of zero-day exploitation by financially motivated groups, mostly in ransomware-related operations. In one instance, a threat actor exploited a remote code execution (RCE) flaw on Mitel's MiVoice Connect VOIP appliance (CVE-2022-29499) to deploy the Lorenz ransomware, and in another case the Magniber ransomware group exploited the MoTW vulnerability (CVE-2022-41091) in Microsoft Windows 11.

UNC2633, a distribution threat cluster, was observed exploiting the Follina vulnerability in at least three instances in early June 2022 before the patch was released. In at least two of those instances, UNC2633 used the flaw to distribute the QakBot (aka QBot and Pinkslipbot) information-stealing malware.

“We expect that threat actors will continue to pursue the discovery and exploitation of zero-days, as these vulnerabilities provide significant tactical advantages in ease and success rates of exploitation, as well as stealth,” Mandiant says. “However, we anticipate that wider migration to cloud products could alter the expected trends due to differing patching and disclosure approaches. Cloud vendors can create patches and deploy them on behalf of customers, which greatly reduces patch times and therefore decreases risks of post-disclosure exploitation. However, many cloud vendors have historically chosen not to publicly disclose vulnerabilities in cloud products as reliably as other product types. This could affect zero-day disclosure counts as known to the public.”