Zero-Day Exploits Touch Record High

Diving into details

• The good news above comes with a bad one. Attackers are having more success using the same exploitation techniques and bug patterns on the same attack surfaces. The attack methodology hasn’t changed much since previous years.
• The flaws cataloged by the team are only the ones that have been identified and disclosed. Therefore, the actual proportion of zero-day exploits remains unknown.

Some stats your way

• Of the 58 zero-day vulnerabilities reported in 2021, 56 were similar to previously disclosed flaws.
• Of these, 67% or 39 accounted for memory corruption bugs, followed by 17 use-after-free, 6 out-of-bounds read & write, 4 buffer overflow, and 4 integer overflow bugs.
• Only two vulnerabilities were distinguished. First of them is the CVE-2021-30860 in iMessage, which was abused by NSO’s Pegasus spyware.
• The second one was a sandbox escape, dubbed FORCEDENTRY, that affected iOS and exploited only logic bugs instead of memory corruption, to escape the sandbox.
• Chrome/Chromium had the most number of vulnerabilities (14), followed by Windows (10), Safari and Android (7 each), Microsoft Exchange Server and iOS/macOS (5 each), and Internet Explorer (4).

Mandiant’s report

• State-sponsored groups, spearheaded by Chinese hackers, are the ones to abuse the most number of zero-days. 
• Almost 1 in 3 identified attackers abusing zero-days was financially motivated. 
• At least six zero-days, actively abused in 2021, were possibly by customers of malware vendors. 
• At least five flaws were allegedly exploited by an Israeli commercial vendor. 
• The most zero-day bugs exploited were in Microsoft, Apple, and Google products. 

The bottom line