Technical Brief: A Deep Dive into 2024 Zero-Day Exploitation Trends

This brief summarizes key technical findings from Google Threat Intelligence Group's (GTIG) 2024 analysis of zero-day exploitation, highlighting significant shifts and persistent threats.

Overall Landscape and Trends:

• GTIG tracked 75 zero-day vulnerabilities exploited in the wild in 2024. While this is a decrease from the 98 identified in 2023, it represents an increase from 2022 (63 vulnerabilities). The data suggests a steady upward trend over the past four years when considering the average trendline.
• Detection capabilities and more frequent public disclosures have likely contributed to the larger numbers of detected zero-day exploitation compared to what was observed prior to 2021.

Hello 0-Days, My Old Friend: A 2024 Zero-Day Exploitation Analysis | Google Cloud Blog

This Google Threat Intelligence Group report presents an analysis of detected 2024 zero-day exploits.

Google Cloud

Shifting Focus to Enterprise Technologies:

• A significant trend in 2024 was the continued increase in adversary exploitation of enterprise-specific technologies. The proportion of zero-days targeting enterprise products jumped from 37% in 2023 to 44% in 2024.
• This shift was primarily fueled by the increased exploitation of security and networking software and appliances. GTIG identified 20 security and networking vulnerabilities, making up over 60% of all zero-day exploitation of enterprise technologies.
• These products are high-value targets because they connect widespread systems, have high permissions required for management, and offer efficient access into enterprise networks. They often lack Endpoint Detection and Response (EDR) tool support, limiting monitoring capabilities. Additionally, exploit chains are not generally required, meaning a single vulnerability can provide extensive power like remote code execution or privilege escalation.
• The variety of targeted enterprise vendors also expanded, with 18 unique vendors targeted in 2024, a significant proportional increase. Notably, Ivanti was the third most frequently targeted vendor with seven zero-days, reflecting this increased focus on networking and security products, placing a security vendor higher than a popular end-user technology vendor like Apple.

End-User Platform Exploitation:

• Despite the shift, end-user platforms and products still accounted for 56% (42) of tracked zero-days in 2024. This category includes browsers, mobile devices, and desktop operating systems.
• Zero-day exploitation of browsers and mobile devices fell drastically in 2024, decreasing by about a third for browsers (17 to 11) and about half for mobile devices (17 to 9) compared to 2023. Vendor investments in exploit mitigations appear to be having a clear impact on these historically popular targets. Chrome remained the primary focus for browser exploitation. Exploit chains continue to be almost exclusively (~90%) used for mobile device targeting. Third-party components in Android devices also remained a target.
• In contrast, 2024 saw an increase in zero-day vulnerabilities affecting desktop operating systems (OSs), climbing from 17 in 2023 to 22 in 2024. Microsoft Windows exploitation specifically increased, from 16 zero-days in 2023 to 22 in 2024. Desktop OSs remain a large target due to their popularity in both home and professional settings.

Threat Actor Landscape:

• GTIG attributed the exploitation of 34 zero-day vulnerabilities in 2024, just under half of the total.
• Actors conducting cyber espionage still lead attributed zero-day exploitation, accounting for nearly 53% (18 vulnerabilities) of total attributed exploitation. This includes both likely nation-state-sponsored groups (10 zero-days) and customers of commercial surveillance vendors (CSVs) (eight zero-days).
• CSVs continue to provide access to zero-day exploitation for other actors, although their attributed count dipped slightly in 2024, potentially due to increased operational security practices. Forensic vendors using zero-days requiring physical access were noted.
• PRC-backed threat groups remained the most consistent government-backed espionage developer and user of zero-days, with five attributed vulnerabilities. Their exploitation exclusively focused on security and networking technologies, continuing a multi-year trend.
• For the first time, North Korean state actors tied for the highest total number of attributed zero-days with five vulnerabilities. These groups mix espionage and financially motivated operations. They exploited zero-days in Chrome and Windows products, including a reported zero-day in the Windows AppLocker driver to bypass security tools.
• Financially motivated non-state groups accounted for almost 15% (five vulnerabilities) of attributed zero-days, with FIN11 notably exploiting zero-days in file transfer products. Groups with mixed financial and espionage motivations, such as CIGAR (also tracked as UNC4895 or RomCom), also exploited zero-days, including vulnerabilities in Firefox and Windows.

Technical Details and Vulnerability Types:

• Threat actors primarily utilize zero-days for gaining remote code execution and elevating privileges, accounting for over half of tracked exploitation.
• The most frequently exploited vulnerability types were Use-after-free (8), Command injection (8), and Cross-site scripting (XSS) (6).
• Code and command injection vulnerabilities were observed almost entirely targeting networking and security software and appliances, indicating intent to gain control over larger systems.
• These vulnerability types largely stem from software development errors. Preventing them requires adhering to higher programming standards, such as code reviews and updating codebases.
• Specific examples like the WebKit exploit chain targeting MacOS users to steal cookies demonstrate attackers staying within the browser environment for credential theft. Another example involving CIGAR highlights a local privilege escalation vulnerability (CVE-2024-49039) in a Windows RPC server that abused endpoint security and insufficient ACL checks to escalate privileges from Low Integrity Level to SYSTEM.

Implications for Defenders and Vendors:

• Defending against zero-days requires strategy and prioritization. While zero-day exploitation numbers in historically popular targets like mobile and browsers are decreasing due to vendor efforts, the overall trend is expected to rise steadily.
• Vendors, particularly those newly targeted or in the expanding enterprise product space, must evolve security practices. This includes enforcing proper and safe coding practices to prevent common vulnerability types.
• For highly valuable enterprise tools (security, networking), vendors must address architectural gaps that allow a single exploit to cause extensive damage. Best practices like zero-trust fundamentals (least-privilege, network segmentation) are crucial.
• Continuous monitoring is needed, and vendors should work towards enabling EDR capabilities for products that currently lack them, especially security and networking devices.
• The ability of vendors to counter threat actors' objectives will ultimately dictate zero-day exploitation trends.