Mandiant Threat Intelligence identified 80 zero-days exploited in the wild in 2021, which is more than double the previous record volume in 2019. State-sponsored groups continue to be the primary actors exploiting zero-day vulnerabilities, led by Chinese groups. Threat actors exploited zero-days in Microsoft, Apple, and Google products most frequently, likely reflecting the popularity of these vendors.
Key insights from Mandiant’s research from James Sadowski, principal analyst, Mandiant:
- Zero-Day Exploitation Reaches All-Time High in 2021
Zero-day exploitation increased from 2012 to 2021, and we expect the number of zero-days exploited per year to continue to grow. Several factors likely contribute to growth in the quantity of zero-days exploited. For example, the continued move toward cloud hosting, mobile, and Internet-of-Things (IoT) technologies increases the volume and complexity of systems and devices connected to the internet—put simply, more software leads to more software flaws. The expansion of the exploit broker marketplace also likely contributes to this growth, with more resources being shifted toward research and development of zero-days, both by private companies and researchers, as well as threat groups. Finally, enhanced defenses also likely allow defenders to detect more zero-day exploitation now than in previous years, and more organizations have tightened security protocols to reduce compromises through other vectors.
- State-Sponsored Groups Still Dominate, but Financially Motivated Zero-Day Exploitation Also Growing
State-sponsored espionage groups continue to be the primary actors exploiting zero-day vulnerabilities, although the proportion of financially motivated actors deploying zero-day exploits is growing. From 2014–2018, Mandiant observed only a small proportion of financially motivated actors exploit zero-day vulnerabilities, but by 2021, roughly one third of all identified actors exploiting zero-days were financially motivated. We also noted new threat clusters exploit zero-days, but do not yet have sufficient information about some of these clusters to assess motivation.
- Chinese Groups Consistently Lead State Zero-Day Exploitation
Mandiant identified the highest volume of zero-days exploited by suspected Chinese cyber espionage groups in 2021, and espionage actors from at least Russia and North Korea actively exploited zero-days last year too. From 2012 to 2021, China exploited more zero-days than any other nation. However, we observed an increase in the number of nations likely exploiting zero-days, particularly over the last several years, and at least 10 separate countries likely exploited zero-days since 2012.
- Zero-Day Exploitation Linked to Ransomware Operations
Since 2015, Mandiant observed a sharp decline in zero-day vulnerabilities included in criminal exploit kits, likely due to several factors including the arrests of prominent exploit developers. However, as the criminal underground coalesced around ransomware operations, we observed an uptick in ransomware infections exploiting zero-day vulnerabilities since 2019. This trend may indicate that these sophisticated ransomware groups are beginning to recruit or purchase the requisite skills to exploit zero-days that may have been formerly developed for exploit kits.
- Popular Vendors Are Popular Targets for Zero-Day Exploitation
Mandiant analyzed zero-days from 12 separate vendors in 2021, with vulnerabilities in Microsoft, Apple, and Google products comprising 75% of total zero-day vulnerabilities, likely as a result of the popularity of these products among enterprises and users across the globe. The threat from exploitation of these major providers remains significant, given their prevalence. In addition, we saw a growing variety in vendors being targeted, which can complicate patch prioritization and make it more difficult for organizations who can no longer focus on just one or two vendors as priorities.
Outlook & implications
Significant campaigns based on zero-day exploitation are increasingly accessible to a wider variety of state-sponsored and financially motivated actors, including as a result of the proliferation of vendors selling exploits and sophisticated ransomware operations potentially developing custom exploits. The marked increase in exploitation of zero-day vulnerabilities, particularly in 2021, expands the risk portfolio for organizations in nearly every industry sector and geography. While exploitation peaked in 2021, there are indications that the pace of exploitation of new zero-days slowed in the latter half of the year; however, zero-day exploitation is still occurring at an elevated rate compared to previous years.
While zero-day exploitation is expanding, malicious actors also continue to leverage known vulnerabilities, often soon after they have been disclosed. Therefore, security may be improved by continuing to incorporate lessons from past targeting and an understanding of the standard window between disclosure and exploitation. Furthermore, even if an organization is unable to apply the mitigations before targeting occurs, exploitation analysis can still provide further insight into the urgency with which these systems need to be patched. Delays in patching only compound the risk that an organization supporting unpatched or unmitigated software will be affected.