In its annual look at in-the-wild zero-day exploitation, Google has highlighted a concerning trend - hackers are increasingly setting their sights on compromising enterprise technologies like security software and network appliances. The findings were published today in Google's "Year in Review of Zero-Days Exploited In-the-Wild in 2023" report and accompanying blog post.
The report, a joint effort between Google's Threat Analysis Group (TAG) and the recently acquired Mandiant, tracked a total of 97 zero-day vulnerabilities actively exploited last year. While marking a 56% increase from 2022's total, the number still fell short of the 106 zero-days detected in 2021's record year.
However, the data reveals an alarming escalation in attacks targeting enterprise products and vendors, signaling a potential new front in the perpetual cyber war between attackers and defenders.
Key Points from the Google's Report
- Vendor investments in exploit mitigations are paying off by preventing entire classes of vulnerabilities from being exploited, such as Google's MiraclePtr stopping use-after-free bugs in Chrome and Apple's Lockdown mode blocking many iOS exploit chains.
- Zero-day vulnerabilities in third-party components and libraries emerged as a prime attack vector in 2023, since exploiting these can impact multiple downstream products.
- There was a significant 64% year-over-year increase in zero-days exploited against enterprise technologies like security software and network appliances.
- Commercial surveillance vendors accounted for 75% of the zero-days targeting Google and Android products, and over 60% of all browser and mobile exploits.
- Chinese state-sponsored groups led the way in government-backed exploitation, accounting for 12 separate zero-day vulnerabilities in 2023.
- Exploitation by financially motivated groups like ransomware operators decreased proportionally compared to 2022 levels.
- There is an increasing diversity of enterprise vendors being targeted by zero-day attacks, many without prior experience combating sophisticated threats.
- The success of mitigations is forcing attackers to continually research new vulnerabilities and exploitation techniques against hardened platforms.
Enterprise Under Attack
Of the 97 total zero-days spotted in 2023, a full 36 targeted enterprise technologies - a staggering 64% spike from the prior year. This continues an upward trend dating back to at least 2019, when just 12% of zero-days impacted the enterprise space.
"This observed increase in enterprise targeting was fueled mainly by exploitation of security software and appliances," the report states, calling out vendors like Barracuda, Cisco, Ivanti, Trend Micro and others whose products were compromised by zero-day attacks.
Zero-days exploited in-the-wild by year | Image- Google |
The successful exploitation of security products is particularly concerning given their deep access and elevated privileges on corporate networks. As Google warns, these technologies "often run on the edge of a network with high permissions and access" - making them an ideal initial entry point for threat actors.
This rising enterprise threat surfaces an uneven playing field compared to the consumer tech realm dominated by a handful of skilled vendors like Apple, Google and Microsoft. Many enterprise technology makers are inexperienced in combating sophisticated zero-day attacks and skilled exploitation techniques.
"We must take these lessons learned and apply that knowledge to other vendors who may be inexperienced in these types of responses," the report urges, referring to the hardened defenses and well-practiced vulnerability response processes of the major platforms.
Nation-State Actors Lead the Charge
Unsurprisingly, the spike in enterprise exploitation can be largely attributed to nation-state hacking groups and their military-grade offensive capabilities.
China accounted for 12 of the zero-days that Google traced to government-backed actors in 2023 - more than any other country and continuing a multi-year trend. One newly-revealed Chinese group dubbed UNC3388 successfully chained three separate zero-days to penetrate target networks, in some cases remaining undetected for over a year.
Commercial surveillance vendors - private companies that develop invasive spyware and exploits to sell to government clients - were also prolific last year. Google attributed 24 of the 58 zero-days where it determined motivation to these vendors, which concentrated their efforts on compromising mobile devices and browsers.
Signs of Progress Against Consumer Attacks
While the enterprise landscape looks increasingly fraught, Google's report also highlights continued progress made in fortifying consumer products against zero-day threats.
Thanks to heavy investment in exploit mitigations, vulnerabilities that were once commonplace "are virtually non-existent today" on platforms like Chrome and iOS. Google specifically calls out Chrome's new MiraclePtr for preventing any use-after-free bugs last year, as well as Apple's Lockdown mode that blocked many in-the-wild exploit chains targeting iPhones.
Zero-days in end-user products in 2022 and 2023 | Image- Google |
"Kudos to Google Chrome and Apple for their investment into exploit mitigations," the report commends. "This demonstrates how these investments are making a real impact on the safety of users and forcing attackers to spend the time to research new attack surfaces and find new bug patterns."
However, attackers have rapidly adapted. As consumer platforms harden, threat actors predictably shifted focus in 2023 to "third-party components and libraries" which can provide a single exploit impacting multiple downstream products.
The Road Ahead
Looking forward, Google anticipates threat groups will likely continue pivoting to new and emerging attack surfaces as vendor defenses improve - "targeting wider and more varied products, as the tried and true methods increasingly become less viable."
To counter this game of cyber cat-and-mouse, the report emphasizes that organizations must prioritize foundational security practices to "force an attacker to use a zero-day" while also preparing strategic vulnerability response plans. Transparency through coordinated disclosure of exploit techniques is also crucial to accelerating industry-wide defensive measures.
For high-risk users, Google recommends activating safeguards like iOS Lockdown mode, Chrome's secure "HTTPS-First Mode", and enabling ARM's new Memory Tagging Extension on Pixel 8 devices. The company's own Advanced Protection Program aims to provide enhanced account security for those at elevated risk.
Fundamentally, the findings illuminate a cyber threat landscape that grows more complex by the year as offensive and defensive capabilities endlessly evolve. While the major consumer platforms have significantly raised the bar, attackers have already pivoted to prioritizing new, underwhelmed targets in the enterprise sector.
By examining these continually shifting dynamics, Google hopes to provide transparency and actionable guidance for an industry charged with defending against an increasingly commoditized zero-day exploit marketplace. Shared insight, not isolated knowledge, will be crucial to mitigating the rising enterprise threat and enhancing safety for all.