It's Raining Zero-Days in CyberspaceChinese Hackers and Others Increasingly Favor Unpatched Vulnerabilities
Last year was another bonanza in zero-days for Chinese state hackers, say security researchers in a report predicting a permanent uptick in nation-state exploitation of yet-unpatched vulnerabilities.
Data taken from original research by cybersecurity firm Mandiant and from open-source reporting suggests zero-day exploitation is generally trending upward despite fluctuation from year to year in the exact numbers of detected zero-days.
A report from the Google-owned threat intelligence company says 55 zero-days exploits were detected during 2022. That's less than the 81 known zero-days spotted the year before but also a 200% increase compared to 2020.
"Attackers seek stealth and ease of exploitation, both of which zero-days can provide," Mandiant writes. Given the tactical edge they give to attackers, "we expect that threat actors will continue to pursue the discovery and exploitation of zero-days."
Of the zero-days whose exploitation researchers could attribute with at least moderate confidence, Chinese state-sponsored groups were responsible for slightly more than half. Chinese campaigns were notable for the involvement of "multiple groups, expansive targeting, and focus on enterprise networking and security devices."
Mandiant says Chinese nation-state hackers used fewer zero-day exploits in 2022 than the year before, but Beijing's growing capacity for identifying and exploiting unpatched vulnerabilities has caught the attention of multiple Western security researchers. CrowdStrike recently said Beijing is "up-leveling" its capabilities while Microsoft has warned about possible stockpiling of zero-days by Beijing. Both firms trace China's wealth of zero-days to a vulnerability disclosure requirement that took effect Sept. 1, 2021, as part of a larger Data Security Law tightening regulations around the processing of Chinese data.
Exploitation by more than one Chinese state hacking group of a particular zero-day, such as the belatedly patched Follina bug in Microsoft Office, suggests that Chinese state-hacking groups obtain tools from a centralized quartermaster, Mandiant says.
China was not the only government to latch onto Follina, Mandiant says. Russian state hackers known as APT28 also exploited it, although that may have been opportunistic hackers taking advantage of the weekslong lag between disclosure and patch release.
Moscow only made use of two zero-day exploits during 2022, Mandiant says - a situation it attributes to heightened vigilance over Russian operators in the wake of the Kremlin's February 2022 invasion of Ukraine. Russian hackers may be wary of using valuable zero-days while defenders are extra watchful of their actions.
A threat cluster Mandiant tracks as UNC2633 also got in on the Follina action, using it in at least two instances to distribute Qakbot malware. Financially motivated actors such as ransomware hackers collectively exploited four zero-day vulnerabilities in 2022.
Products from Microsoft, Google and Apple accounted for the majority of zero-days in 2022, and the most exploited product types were operating systems, followed by web browsers, security, IT, and network management products and mobile operating systems.