27 March 2024

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says


Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Google's Threat Analysis Group (TAG) and Google subsidiary Mandiant released a report highlighting the proliferation of zero-day vulnerabilities exploited in cyberattacks throughout 2023. The findings show a significant surge in these exploits compared to previous years, with a notable association with spyware vendors and state-backed cyber espionage groups.

According to the report, 97 zero-day vulnerabilities were exploited in-the-wild in 2023, marking an increase of over 50% compared to the previous year (62 vulnerabilities), although this figure falls short of the record set in 2021 (106 flaws).

A substantial portion of these exploits can be attributed to commercial surveillance vendors (CSVs) and state-sponsored actors. CSVs, in particular, were found to be behind 75% of known zero-day exploits (accounting for 13 out of 17 vulnerabilities) targeting Google products and the Android ecosystem, as well as 55% (amounting to 11 out of 20 vulnerabilities) targeting iOS and Safari. These vendors specialize in selling spyware capabilities to government customers, raising serious implications for privacy and security.

“Of the 37 zero-day vulnerabilities in browsers and mobile devices exploited in 2023, we attributed over 60% to CSVs that sell spyware capabilities to government customers,” Google said.

Moreover, state-backed cyber espionage groups, notably those associated with the People’s Republic of China (PRC), have been identified as significant contributors to zero-day exploits. The report indicates that PRC cyber espionage groups exploited 12 zero-day vulnerabilities in 2023 (up from seven in 2022), continuing a trend observed over multiple years.

Exploitation associated with financially motivated actors proportionally decreases, the report notes. Financially motivated exploitation made up approximately 17% of the total, slightly lower than observed in 2022. Both 2022 and 2023 saw a decrease from nearly one-third of vulnerabilities attributed to financially motivated actors in 2021.

In 2023, financially motivated actors utilized 10 zero-day vulnerabilities, marking a decline compared to the previous year. This accounted for a smaller proportion of the total exploits compared to 2022. Specifically, threat group FIN11 exploited three zero-day vulnerabilities, while four separate ransomware groups exploited another four zero-days.

“Zero-day exploitation is no longer just a niche capability accessible to only a handful of actors, and we anticipate that the growth we have seen across the last few years will likely continue, as vendors continue to make other avenues of compromise less accessible and as threat actors focus increasing resources on zero-day exploitation,” the report said. “The wider proliferation of technology has made zero-day exploitation more likely as well: simply put, more technology offers more opportunity for exploitation.”

Back to the list

Latest Posts

Cyber Security Week in Review: June 21, 2024

Cyber Security Week in Review: June 21, 2024

In brief: The US bans Russia’s Kaspersky software, Chinese cyber espionage actor exploits Fortinet, Ivanti, and VMware zero-days, and more.
21 June 2024
Russian Nobelium hackers  target French diplomatic entities and public orgs

Russian Nobelium hackers target French diplomatic entities and public orgs

Nobelium's tactics involve using hacked legitimate email accounts belonging to diplomatic staff to conduct phishing campaigns.
20 June 2024
Chinese cyber espionage actor exploits Fortinet, Ivanti, and VMware zero-days

Chinese cyber espionage actor exploits Fortinet, Ivanti, and VMware zero-days

The group relies heavily on valid credentials for lateral movement between guest virtual machines on compromised VMware ESXi servers.
20 June 2024