Google's Threat Analysis Group (TAG) and Google subsidiary Mandiant released a report highlighting the proliferation of zero-day vulnerabilities exploited in cyberattacks throughout 2023. The findings show a significant surge in these exploits compared to previous years, with a notable association with spyware vendors and state-backed cyber espionage groups.

According to the report, 97 zero-day vulnerabilities were exploited in-the-wild in 2023, marking an increase of over 50% compared to the previous year (62 vulnerabilities), although this figure falls short of the record set in 2021 (106 flaws).

A substantial portion of these exploits can be attributed to commercial surveillance vendors (CSVs) and state-sponsored actors. CSVs, in particular, were found to be behind 75% of known zero-day exploits (accounting for 13 out of 17 vulnerabilities) targeting Google products and the Android ecosystem, as well as 55% (amounting to 11 out of 20 vulnerabilities) targeting iOS and Safari. These vendors specialize in selling spyware capabilities to government customers, raising serious implications for privacy and security.

“Of the 37 zero-day vulnerabilities in browsers and mobile devices exploited in 2023, we attributed over 60% to CSVs that sell spyware capabilities to government customers,” Google said.

Moreover, state-backed cyber espionage groups, notably those associated with the People’s Republic of China (PRC), have been identified as significant contributors to zero-day exploits. The report indicates that PRC cyber espionage groups exploited 12 zero-day vulnerabilities in 2023 (up from seven in 2022), continuing a trend observed over multiple years.

Exploitation associated with financially motivated actors proportionally decreases, the report notes. Financially motivated exploitation made up approximately 17% of the total, slightly lower than observed in 2022. Both 2022 and 2023 saw a decrease from nearly one-third of vulnerabilities attributed to financially motivated actors in 2021.

In 2023, financially motivated actors utilized 10 zero-day vulnerabilities, marking a decline compared to the previous year. This accounted for a smaller proportion of the total exploits compared to 2022. Specifically, threat group FIN11 exploited three zero-day vulnerabilities, while four separate ransomware groups exploited another four zero-days.

“Zero-day exploitation is no longer just a niche capability accessible to only a handful of actors, and we anticipate that the growth we have seen across the last few years will likely continue, as vendors continue to make other avenues of compromise less accessible and as threat actors focus increasing resources on zero-day exploitation,” the report said. “The wider proliferation of technology has made zero-day exploitation more likely as well: simply put, more technology offers more opportunity for exploitation.”