The number of zero-day vulnerabilities exploited in-the-wild jumped significantly in 2023, as threat actors focused their efforts on enterprise-specific software and appliances, according to new research.
In Google’s fifth annual review (PDF) of zero-days exploited in-the-wild, researchers reported observing 97 zero-days in 2023, a 56% jump on the 65 spotted in 2022, but still below 2021’s record of 106.
Notably, there was a 64% rise in adversary exploitation of enterprise-specific technologies last year, continuing a trend the researchers have observed over the past five years. While only 11.8% of zero-days affected enterprise technologies in 2019, the number had climbed to 37.1% by 2023.
The increase in enterprise targeting was fueled mainly by exploitation of security software and appliances, the researchers said.
Security solutions that suffered zero-days attacks in 2023 included Barracuda Email Security Gateway, Cisco Adaptive Security Appliance, Ivanti Endpoint Manager Mobile and Sentry, and Trend Micro Apex One.
Security tech a prime target
The researchers — from Google’s Threat Analysis Group (TAG) and security firm Mandiant, which Google acquired in 2022 — observed exploitation of nine vulnerabilities affecting security software or devices.
“Security software is a valuable target for attackers because it often runs on the edge of a network with high permissions and access,” they said.
“By successfully exploiting such technologies, attackers can gain an initial foothold into a targeted organization for follow-on activity.”
Another indication of the growing sophistication of threat actors’ focus on enterprises was an increase in zero-days targeting third-party components and libraries.
“Vulnerabilities in third-party components tend to be higher value and more useful than vulnerabilities in the product’s first party code because they can affect more than just one product,” the report said.
“Therefore, an attacker would only need one bug and one exploit to affect two different products instead of developing and maintaining two different ones.”
Espionage goals top financial motivation
Of the 97 zero-days the researchers observed in 2023, 48 were attributed to commercial surveillance vendors or nation-state espionage campaigns. In comparison, only 10 were attributed to financially motivated threat actors.
Twelve separate government-backed zero-day vulnerabilities were attributed to China-backed attackers, more than any other state.
“Attackers aren't dumb. Exploiting zero-day vulnerabilities, especially those in open-source libraries, is an easy (and likely undetectable) way to gain full access to servers deep inside an organization's infrastructure,” said Contrast Security co-founder and CTO Jeff Williams.
He added that the number of zero-days observed last year appeared low, even if it amounted to a more than 50% rise on the previous year.
“An increase in exploited zero-days from 65 to 97 isn't that scary when there were over 26,000 reported CVEs last year. The vast majority of attacks is on these known vulnerabilities. Many organizations need to do a much better job of handling these known vulnerabilities faster,” he said.
“Alternatively, it’s very possible that we only detected 97 out of a much bigger number. Remember, zero-days, by their nature, are extremely difficult to detect."