Google has revealed that it noticed 75 zero-day vulnerabilities exploited within the wild in 2024, down from 98 in 2023 however a rise from 63 the 12 months earlier than.
Of the 75 zero-days, 44% of them focused enterprise merchandise. As many as 20 flaws have been recognized in safety software program and home equipment.
“Zero-day exploitation of browsers and cellular gadgets fell drastically, reducing by a few third for browsers and by about half for cellular gadgets in comparison with what we noticed final 12 months,” the Google Risk Intelligence Group (GTIG) mentioned in a report shared with The Hacker information.
“Exploit chains made up of a number of zero-day vulnerabilities proceed to be virtually solely (~90%) used to focus on cellular gadgets.”
Whereas Microsoft Home windows accounted for 22 of the zero-day flaws exploited in 2024, Apple’s Safari had three, iOS had two, Android had seven, Chrome had seven, and Mozilla Firefox had one flaw that have been abused throughout the identical interval. Three of the seven zero-days exploited in Android have been present in third-party elements.
Among the many exploited 33 zero-days in enterprise software program and home equipment, 20 of them focused safety and community merchandise, corresponding to these from Ivanti, Palo Alto Networks, and Cisco.
“Safety and community instruments and gadgets are designed to attach widespread programs and gadgets with excessive permissions required to handle the merchandise and their providers, making them extremely helpful targets for menace actors in search of environment friendly entry into enterprise networks,” GTIG researchers famous.
In all, a complete of 18 distinctive enterprise distributors have been focused in 2024, compared to 12 in 2021, 17 in 2022, and 22 in 2023. The businesses with essentially the most focused zero-days have been Microsoft (26), Google (11), Ivanti (7), and Apple (5).
Google, which defines zero-days as vulnerabilities exploited within the wild earlier than a patch is made publicly accessible, mentioned state-backed cyber espionage was nonetheless the main motivation behind the exploitation of a big chunk of the bugs. The zero-day exploitation of 34 of the 75 flaws have been attributed to 6 broad menace exercise clusters –
- State-sponsored espionage (10), led by China (5), Russia (1), and South Korea (1) (e.g., CVE-2023-46805, CVE-2024-21887)
- Business surveillance distributors (8) (e.g., CVE-2024-53104, CVE-2024-32896, CVE-2024-29745, CVE-2024-29748)
- Non-state financially motivated teams (5) (e.g., CVE-2024-55956)
- State-sponsored espionage and financially motivated teams (5), all from North Korea (e.g., CVE-2024-21338, CVE-2024-38178)
- Non-state financially motivated teams additionally conducting espionage (2), all from Russia (e.g. CVE-2024-9680, CVE-2024-49039)
Google mentioned it found in November 2024 a malicious JavaScript inject on the web site of the Diplomatic Academy of Ukraine (on-line.da.mfa.gov[.]ua), which triggered an exploit for CVE-2024-44308, leading to arbitrary code execution.
This was then chained with CVE-2024-44309, a cookie administration vulnerability in WebKit, to launch a cross-site scripting (XSS) assault and finally gather customers’ cookies in an effort to unauthorized entry to login.microsoftonline[.]com.
The tech large additional famous that it independently found an exploit chain for Firefox and Tor browsers that leveraged a mixture of CVE-2024-9680 and CVE-2024-49039 to interrupt out of the Firefox sandbox and execute malicious code with elevated privileges, thereby paving the best way for the deployment of RomCom RAT.
The exercise, beforehand flagged by ESET, has been attributed to a menace actor referred to as RomCom (aka Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, and Void Rabisu). Google is monitoring the twin financial- and espionage-motivated menace group underneath the title CIGAR.
Each the issues are mentioned to have been abused as a zero-day by one other seemingly financially motivated hacking crew that used a reliable, compromised cryptocurrency information web site as a watering gap to redirect guests to an attacker-controlled area internet hosting the exploit chain.
“Zero-day exploitation continues to develop at a sluggish however regular tempo. Nevertheless, we have additionally began seeing distributors’ work to mitigate zero-day exploitation begin to repay,” Casey Charrier, Senior Analyst at GTIG, mentioned in a press release shared with The Hacker Information.
“As an example, we’ve noticed fewer situations of zero-day exploitation focusing on merchandise which have been traditionally well-liked, seemingly resulting from efforts and sources many massive distributors have invested in an effort to stop exploitation.”
“On the similar time, we’re seeing zero-day exploitation shift in the direction of the elevated focusing on of enterprise-focused merchandise, which requires a wider and extra various set of distributors to extend proactive safety measures. The way forward for zero-day exploitation will finally be dictated by distributors’ selections and skill to counter menace actors’ goals and pursuits.”
