Google has revealed that it noticed 75 zero-day vulnerabilities exploited within the wild in 2024, down from 98 in 2023.
Of the 75 zero-days, 44% of them focused enterprise merchandise. As many as 20 flaws have been recognized in security software program and home equipment.
“Zero-day exploitation of browsers and cell units fell drastically, reducing by a couple of third for browsers and by about half for cell units in comparison with what we noticed final 12 months,” the Google Risk Intelligence Group (GTIG) stated in a report shared with The Hacker information.
“Exploit chains made up of a number of zero-day vulnerabilities proceed to be nearly completely (~90%) used to focus on cell units.”
Whereas Microsoft Home windows accounted for 22 of the zero-day flaws exploited in 2024, Apple’s Safari had three, iOS had two, Android had seven, Chrome had seven, and Mozilla Firefox had one flaw that have been abused throughout the identical interval. Three of the seven zero-days exploited in Android have been present in third-party elements.
Among the many exploited 33 zero-days in enterprise software program and home equipment, 20 of them focused security and community merchandise, equivalent to these from Ivanti, Palo Alto Networks, and Cisco.
“Safety and community instruments and units are designed to attach widespread programs and units with excessive permissions required to handle the merchandise and their companies, making them extremely helpful targets for risk actors searching for environment friendly entry into enterprise networks,” GTIG researchers famous.
In all, a complete of 18 distinctive enterprise distributors have been focused in 2024, compared to 12 in 2021, 17 in 2022, and 22 in 2023. The businesses with essentially the most focused zero-days have been Microsoft (26), Google (11), Ivanti (7), and Apple (5).
What’s extra, the zero-day exploitation of 34 of the 75 flaws have been attributed to 6 broad risk exercise clusters –
- State-sponsored espionage (10), led by China (5), Russia (1), and South Korea (1) (e.g., CVE-2023-46805, CVE-2024-21887)
- Business surveillance distributors (8) (e.g., CVE-2024-53104, CVE-2024-32896, CVE-2024-29745, CVE-2024-29748)
- Non-state financially motivated teams (5) (e.g., CVE-2024-55956)
- State-sponsored espionage and financially motivated teams (5), all from North Korea (e.g., CVE-2024-21338, CVE-2024-38178)
- Non-state financially motivated teams additionally conducting espionage (2), all from Russia (e.g. CVE-2024-9680, CVE-2024-49039)
Google stated it found in November 2024 a malicious JavaScript inject on the web site of the Diplomatic Academy of Ukraine (on-line.da.mfa.gov[.]ua), which triggered an exploit for CVE-2024-44308, leading to arbitrary code execution.
This was then chained with CVE-2024-44309, a cookie administration vulnerability in WebKit, to launch a cross-site scripting (XSS) assault and finally gather customers’ cookies with a view to unauthorized entry to login.microsoftonline[.]com.
The tech big additional famous that it independently found an exploit chain for Firefox and Tor browsers that leveraged a mix of CVE-2024-9680 and CVE-2024-49039 to interrupt out of the Firefox sandbox and execute malicious code with elevated privileges, thereby paving the way in which for the deployment of RomCom RAT.
The exercise, beforehand flagged by ESET, has been attributed to a risk actor known as RomCom (aka Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, and Void Rabisu). Google is monitoring the twin financial- and espionage-motivated risk group beneath the identify CIGAR.
Each the failings are stated to have been abused as a zero-day by one other possible financially motivated hacking crew that used a authentic, compromised cryptocurrency information web site as a watering gap to redirect guests to an attacker-controlled area internet hosting the exploit chain.
“Zero-day exploitation continues to develop at a gradual however regular tempo. Nevertheless, we have additionally began seeing distributors’ work to mitigate zero-day exploitation begin to repay,” Casey Charrier, Senior Analyst at GTIG, stated in an announcement shared with The Hacker Information.
“For example, we’ve noticed fewer situations of zero-day exploitation concentrating on merchandise which were traditionally well-liked, possible attributable to efforts and assets many giant distributors have invested with a view to stop exploitation.”
“On the identical time, we’re seeing zero-day exploitation shift in direction of the elevated concentrating on of enterprise-focused merchandise, which requires a wider and extra various set of distributors to extend proactive security measures. The way forward for zero-day exploitation will finally be dictated by distributors’ choices and talent to counter risk actors’ aims and pursuits.”
