Experts warn that in 2022, 55 zero-day vulnerabilities were exploited in attacks carried out by ransomware and cyberespionage groups.
Cybersecurity firm Mandiant reported that ransomware and cyberespionage groups exploited 55 zero-day flaws in real-world attacks.
Most zero-day vulnerabilities have been in software from Microsoft, Google, and Apple.
Although the figure is down from 2021, experts point out that it is almost three times higher than in 2020.
Most zero-day vulnerabilities have been exploited by threat actors associated with China as part of cyberespionage campaigns.
Researchers reported that only four zero-day vulnerabilities were exploited by financially motivated attackers, 75% of which were related to ransomware attacks.
“In 2022, products from Microsoft, Google and Apple accounted for the majority of zero-day vulnerabilities, the same as the previous year. The most exploited product types were operating systems (OS) (19), browsers (11), security, IT and network management products (10), followed by mobile OS (6). ” reads report Published by Mandiant.
According to the report, 13 zero-days were exploited by cyberespionage groups in 2022, a number consistent with 2021. 7 zero days (CVE-2022-24682, CVE-2022-1040, CVE-2022-30190, CVE-2022-26134, CVE-2022-42475, CVE-2022-27518and CVE-2022-41328) were exploited in wild attacks by cyberespionage groups with links to China, and two zero-day vulnerabilities were exploited by APT groups suspected of having links to North Korea.
“We identified four zero-day vulnerabilities that could be attributed to exploitation by financially motivated threat actors, a quarter of the total of 16 zero-days for which we could determine the motivation for exploitation. 75% of these cases appear to be related to ransomware operations, consistent with data from 2021 and 2019 where ransomware groups exploited the highest amount of zero-day vulnerabilities compared to any other financially motivated attacker.” Continue with the report. “However, in 2022, the overall number and percentage of financially motivated zero-day exploits are down compared to recent years.”
Several APT groups with links to China exploited vulnerability CVE-2022-30190 (aka Follina), and exploitation of FortiOS vulnerabilities CVE-2022-42475 and CVE-2022-41328 were observed in a particularly noteworthy campaign in 2022.
Mandiant believes there is a joint development and logistics infrastructure behind the attack.
Mandiant also observed two cases of zero-day exploitation by the Russian state. The first campaign conducted by the Russian-linked APT28 group exploited the CVE-2022-30190 flaw (aka Follina) in early June 2022. The second activity involved a campaign that exploited the Microsoft Exchange vulnerability CVE-2023-23397 over several months. By a threat actor tracked as UNC4697 (possibly linked to the APT28 group).
Experts explained that after Russia’s invasion of Ukraine, heightened interest in sabotaging Russian cyber operations may have discouraged Russian-linked groups from using zero-day exploits extensively to gain access that they expected to lose quickly. This means that exploitation of the CVE-2022-30190 flaw is likely opportunistic.
“Nearly all of the 2022 zero-day vulnerabilities (53) were exploited to execute (mostly remote) code or gain elevated privileges, both of which are consistent with the goals of most threat actors. Information disclosure vulnerabilities often receive attention due to the risk of customer and user data being disclosed and misused, but these vulnerabilities often leave attackers limited in scope for action.” finish the report. “Or elevated privileges and code execution could cause lateral movement across the network, with effects beyond the initial access vector.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(security work – hacking, zero-day)
share