Zero-Day Exploits Reached All-Time High Last Year Report Finds

April 25, 2022 - Mandiant Threat Intelligence observed a record number of zero-day exploits in 2021, its latest report revealed. The firm identified 80 exploited zero-days in 2021, compared to just 30 in 2020. Threat actors favored zero-days in Google, Microsoft, and Apple products most frequently, largely exhibiting the popularity of those vendors.

The term “zero-day” indicates that there is no time between when a vulnerability is discovered by developers and when it is exploited by bad actors.

In late 2021, HHS’s Health Sector Cybersecurity Coordination Center (HC3) issued a threat brief outlining risks and mitigation tactics associated with zero-day attacks on the healthcare sector.

Zero-days can refer to a few different mechanisms, HC3 noted. A zero-day attack occurs when threat actors exploit a vulnerability before a patch can be developed and applied. Meanwhile, a zero-day exploit is a method that weaponizes a discovered vulnerability, and a zero-day vulnerability is an unknown flaw in a software program.

“Mandiant considers a zero-day to be a vulnerability that was exploited in the wild before a patch was made publicly available,” the report explained.

From 2012 to 2021, Mandiant observed more than 200 zero-day vulnerabilities. In 2012, Mandiant observed just two zero-days. But in recent years, zero-day exploits have skyrocketed across all industries. Mandiant attributed the growth to the increase in cloud hosting, mobile, and internet of things (IoT) technologies, which increase the complexity of internet-connected devices.

Essentially, researchers suggested that as the number of software offerings increased over the years, vulnerabilities increased as well.

“The expansion of the exploit broker marketplace also likely contributes to this growth, with more resources being shifted toward research and development of zero-days, both by private companies and researchers, as well as threat groups,” the report continued.

“Finally, enhanced defenses also likely allow defenders to detect more zero-day exploitation now than in previous years, and more organizations have tightened security protocols to reduce compromises through other vectors.”

Notable zero-day attacks identified by HC3 include a 2010 attack on an Iranian nuclear program that successfully caused centrifuges to self-destruct, and the 2021 SonicWall zero-day ransomware attack in which threat actors exploited a vulnerability and subsequently deployed FiveHands ransomware.

In August 2020, zero-day vulnerabilities healthcare records application OpenClinic exposed patient test results. Users were urged to stop using the open-source program after developers failed to respond to reports of four zero-days. The unauthorized actors were able to successfully request files containing protected health information (PHI).  

In August 2021, the zero-day vulnerability known as “PwnedPiper” impacted pneumatic tube systems used by hospitals to transport bloodwork, test samples, and medications. The attackers could exploit flaws in the control panel software, which allowed for unauthenticated and unencrypted firmware updates.

The healthcare sector may be particularly vulnerable to zero-day attacks since healthcare data is a high-value target. In addition, the most effective mitigation tactic is patching, which can be particularly difficult on legacy systems and medical IoT devices.

Mandiant found that state-sponsored espionage groups continue to be the primary threat actors exploiting zero-day vulnerabilities. However, financially motivated threat actors exploiting zero-days are growing as well.

In 2021, Mandiant observed a significant number of suspected Chinese cyber espionage groups leveraging zero-days. From 2012 to 2021, China exploited more zero-days than any other country, the report stated.

In addition, researchers observed numerous zero-day exploits tied to customers of malware vendors and ransomware operations.

“We suggest that significant campaigns based on zero-day exploitation are increasingly accessible to a wider variety of state-sponsored and financially motivated actors, including as a result of the proliferation of vendors selling exploits and sophisticated ransomware operations potentially developing custom exploits,” the report maintained.

“The marked increase in exploitation of zero-day vulnerabilities, particularly in 2021, expands the risk portfolio for organizations in nearly every industry sector and geography. While exploitation peaked in 2021, there are indications that the pace of exploitation of new zero-days slowed in the latter half of the year; however, zero-day exploitation is still occurring at an elevated rate compared to previous years.”

Researchers suggested that organizations implement a defensive strategy and prioritize patching known vulnerabilities.