Summary:
In 2024, the Google Threat Intelligence Group observed a total of 75 zero-day vulnerabilities exploited in the wild, reflecting a gradual upward trend despite a slight decline from the previous year. A significant shift was noted in the targeting of enterprise-specific technologies, such as security software, networking appliances, and cloud infrastructure, which accounted for 44% of all zero-days, up from 37% in 2023. These enterprise products are attractive to attackers due to their centralized control over broad IT environments and the limited visibility offered by traditional Endpoint Detection and Response tools, which are not usually equipped to work on such products. Meanwhile, exploitation against traditional end-user platforms like browsers and mobile devices declined, partly due to stronger vendor-led mitigations and harder exploitation conditions. However, operating systems, particularly Microsoft Windows, remained a consistent target due to their widespread usage.


The actors exploiting these vulnerabilities were largely cyber espionage-focused, with state-sponsored groups from the People’s Republic of China and ****North Korea leading the forefront. PRC actors exclusively targeted enterprise security and networking devices, while North Korea mixed espionage and financially motivated goals, exploiting Chrome and Windows vulnerabilities. Commercial surveillance vendors also played a major role, providing capabilities to both governments and private customers, with several attacks requiring physical access to mobile devices. Non-state, financially motivated actors, such as the FIN11 group, continued to exploit zero-days for extortion and data theft, often via file transfer software. Exploits typically aimed for remote code execution or privilege escalation, using flaws like use-after-free, command injection, and cross-site scripting, often delivered via exploit chains, malicious ads, or watering-hole attacks.


Security Officer Comments:
Threat actors are becoming increasingly adept at identifying and exploiting zero-day vulnerabilities, enabling them to bypass conventional security measures and gain unauthorized, often undetected access to critical systems, networks, and sensitive data. In enterprise settings, the compromise of security or networking appliances can provide a foothold for broad intrusions, facilitating lateral movement, data exfiltration, and operational disruption. On end-user devices, these exploits can result in credential theft, invasive surveillance, or complete device compromise. The growing involvement of state-sponsored groups and commercial surveillance vendors significantly heightens the threat of targeted espionage and geopolitical conflict, while financially motivated actors continue to fuel data breaches, ransomware attacks, and supply chain compromise. These trends underscore the urgent need for organizations to adopt proactive security practices and accelerate patch management to reduce exposure to potential attacks.

Suggested Corrections:
By implementing a VPN or security appliance as the first line of defense for internet-exposed appliances, organizations can establish a secure perimeter and effectively shield their internal network from direct exposure to potential threats. This approach adds an extra barrier for attackers to overcome, making it more difficult for them to exploit zero-day vulnerabilities and penetrate the network. Furthermore, coupling this with robust security measures such as regular patching, network segmentation, and intrusion detection systems can significantly bolster the organization's resilience against evolving cyber threats, including zero-day attacks.

Link(s):
https://cloud.google.com/blog/topics/threat-intelligence/2024-zero-day-trends