Miscreants are exploiting enterprise tech zero days more and more, Google warns
Crooks know where the big bucks are
The discovery and exploitation of zero-day vulnerabilities in enterprise-specific software and appliances appears to be outpacing the leveraging of zero-day bugs overall, judging by Google's latest research.
In a report published today, the web giant's Threat Analysis Group (TAG) and Mandiant division said they tracked 97 total zero-day vulnerabilities found and exploited by miscreants in 2023, which is considerably more than the year prior, which had 62 such holes. That's a 56 percent uplift.
The number of found and exploited enterprise-specific technology zero-day vulnerabilities, however, increased by 64 percent in 2023 compared to 2022 with miscreants exploiting 36 of these bugs. This figure has been rapidly growing over the past five years, we're told, with just 11.8 percent of zero-days in 2019 affecting enterprise software.
"This percentage increased to 37.1 percent in 2023, signaling a continued shift in the types of products targeted for malicious exploitation," according to the report [PDF].
This year's report combines analysis from both the Mandiant and TAG teams for the first time since Google bought Mandiant in 2022. It also split the zero-day vulnerabilities into two categories: end-user platforms and products – encompassing mobile devices, operating systems, browsers, and other applications – and enterprise-focused software and appliances.
While 61 of the 97 zero-days affected end-user products last year, this number isn't increasing as rapidly as its enterprise counterparts.
Specifically, this included 17 Windows vulnerabilities, 11 in Safari, nine affecting both iOS and Android, and eight in Chrome. Google didn't observe any zero-days across macOS, Firefox or Internet Explorer last year.
The bug hunters credit vendors such as Apple, Google, and Microsoft with making "notable investments that are having a clear impact on the types and number of zero-days actors are able to exploit."
This includes protections such as Apple's Lockdown Mode for iOS and Google's MiraclePtr, which prevents exploitation of use-after-free bugs across all Chrome platforms.
"Vulnerabilities that were commonplace in years past are virtually non-existent today," the report states.
Across these end-user platforms, however, the Googlers did note an increase in zero-days across third-party components and libraries, which gives attackers more bang for their buck and allows them to exploit one bug while affecting multiple products.
This included CVE-2023-5217, a buffer overflow vulnerability affecting VP8/VP9 encoding in libvpxin, an open source video codec library. This flaw affected Chrome, Firefox, iOS, and Android.
On to another browser zero-day that was exploited in 2023 – CVE-2023-4863, a heap buffer overflow in libwebp that affected any software that used the WebP image library. This included Chrome, Safari, Android, and Firefox.
"We assess with high confidence that the Chrome vulnerability CVE-2023-4863 and the Apple ImageIO vulnerability CVE-2023-41064 are actually the same bug," TAG and Mandiant claim.
Enterprise tech zero-days
Moving back to the enterprise zero-days, Google's threat hunters attribute the increase to buggy security software and appliances in 2023. Notably, this included Barracuda Email Security Gateways, Cisco Adaptive Security Appliances, Ivanti Endpoint Manager Mobile and Sentry, and Trend Micro Apex One.
Ivanti had three zero-day exploits last year, as did North Grid Corporation, giving these two vendors the dubious honor of being the most-exploited enterprise tech in 2023 in terms of zero-days.
- Ivanti releases patches for VPN zero-days, discloses two more high-severity vulns
- Russians invade Microsoft exec mail while China jabs at VMware vCenter Server
- The spyware business is booming despite government crackdowns
- International effort to disrupt cybercrime moves into operational phase
This also illustrates a "key challenge" faced by enterprise vendors, according to TAG and Mandiant: "Learning how to respond to sophisticated attacks targeting their products in a timely and effective manner while simultaneously developing an effective patch that addresses the ways threat actors are weaponizing the vulnerability."
Commercial surveillance vendors, government snoops going strong
Speaking of sophisticated attacks and attackers, perhaps unsurprisingly the bulk of last year's exploits can be attributed to commercial surveillance vendors (41.4 percent) and government cyberspies (41.4 percent).
The rest (ten exploits) came from financially motivated criminals, which are already having plenty of success scanning for and then exploiting recently disclosed bugs, so it doesn't make as much sense for them to buy zero-day exploits.
The Google teams were able to attribute motivation to 58 zero days in 2023, and a combined 48 of these traced back to commercial surveillance vendors (think Pegasus developer NSO Group, Predator maker Intellexa, Candiru, and others) and government-linked crews including those with ties to Russia, North Korea, Belarus, China, and other unknown actors.
TAG goes in-depth into a lot of these commercial surveillance vendors in its earlier report [PDF], published last month, which is worth a read for its insight into the CSV ecosystem.
A couple of notable stats from the new zero-day report: CSVs were responsible for 75 percent (13) of known zero-day exploits targeting Google products and Android ecosystem devices in 2023, and 55 percent targeting iOS and Safari (11).
CSVs did not have any luck with Windows zero-days in 2023. Every Windows exploit could be attributed to either government-backed or financially motivated miscreants.
However, "we know that Candiru, a CSV, had a chain for Windows because we were able to recover their first stage Chrome exploit, but we were not able to recover the rest of the exploits in the chain," the report says.
Additionally, China's government was behind 12 zero-day exploits last year, up from seven in 2022, which, once again, puts the People's Republic as the most prolific nation-state attacker.
This number includes UNC4841's exploitation of two Barracuda bugs, CVE-2023-2868 and CVE-2023-7102.
Plus, another Beijing-linked group, UNC3886, exploited three separate zero-days using two novel attack paths as the report outlines:
In one path, UNC3886 took advantage of a path traversal vulnerability in Fortinet's FortiOS (CVE-2022-41328) to overwrite legitimate files in a normally restricted system directory before exploiting an authentication bypass vulnerability in VMware products (CVE-2023-20867) that enabled the execution of privileged commands; we identified this exploitation dating back at least to mid-2022.
In a second attack, the group exploited CVE-2023-34048, a VMware out-of-bounds write bug, then also exploited CVE-2023-20867. TAG and Mandiant say this allowed the criminals access to vulnerable networks as far back as late 2021. ®