Previously unknown”“zero-day” software vulnerabilities are mysterious and intriguing as a concept. But they’re even more notable when hackers are seen actively exploiting new software flaws in the wild before anyone else knows about them. As researchers have broadened their focus to discover and study more of this exploit, they are seeing it more often. Two reports this week from threat intelligence firm Mandiant and Google’s bug-hunting team, Project Zero, aim to shed light on the question of exactly how much zero-day exploitation has grown in recent years.
Mandiant and Project Zero have a different scope for the types of zero days they track. Project Zero, for example, is not currently focused on analyzing flaws in IoT devices that are being exploited in the wild. As a result, the absolute numbers in the two reports are not directly comparable, but both teams tracked a record number of exploited zero days in 2021. Mandiant tracked 80 last year compared to 30 in 2020, and Project Zero tracked 58 in 2021 compared to 25 a year earlier. The key question for both teams, however, is how to contextualize their findings, given that no one can see the full extent of this covert activity.
“We started to see a spike in early 2021. and a lot of the questions I got all year were, ‘What the hell is going on?!'” says Maddy Stone, a security researcher at Project Zero. “My first reaction was, ‘Oh my gosh, there’s so much.’ But when I took a step back and looked at it in the context of previous years to see such a big jump, this growth is actually more likely due to increased discovery, transparency and zero-day public knowledge.’
Before a software vulnerability is publicly disclosed, it is called a “zero-day” because there were zero days in which the software manufacturer could develop and release a patch and zero days for defenders to start monitoring the vulnerability. In turn, the hacking tools that attackers use to take advantage of such vulnerabilities are known as zero-day exploits. Once the bug becomes public knowledge, a patch may not be released immediately (or at all), but attackers are warned that their activity could be discovered or the hole could be plugged at any time. As a result, zero days are highly coveted and big business for both criminals and especially government-backed hackers looking to conduct both mass campaigns and personalized, one-on-one targeting.
Zero-day vulnerabilities and exploits are generally thought of as uncommon and rare hacking tools, but governments have repeatedly been shown to be stockpiling zero-days, and increased detection is revealing how often attackers use them. Over the past three years, tech giants like Microsoft, Google, and Apple have begun normalizing the practice of noting when they discover and fix a vulnerability that was exploited before the patch was released.
Although awareness and detection efforts have increased, James Sadowski, a researcher at Mandiant, emphasizes that he sees evidence of a change in the landscape.
