The number of zero-day vulnerabilities that are exploited jumped in 2023, with enterprises becoming a larger target and spyware vendors and China-backed cyberespionage groups playing an increasingly bigger role, according to Google cybersecurity experts.

In a report this week, researchers with Google’s Threat Analysis Group (TAG) and its Mandiant business said they saw 97 zero-day flaws being exploited in the wild last year, a jump of more than 50% over 2022, though still falling short the 106 found in 2021.

But within those numbers, the researchers saw an evolving situation with some trends – both good and bad – that organizations should continue tracking.

“Zero-day exploitation is no longer just a niche capability accessible to only a handful of actors, and we anticipate that the growth we have seen across the last few years will likely continue, as vendors continue to make other avenues of compromise less accessible and as threat actors focus increasing resources on zero-day exploitation,” they wrote in the report. “The wider proliferation of technology has made zero-day exploitation more likely as well: simply put, more technology offers more opportunity for exploitation.”

Good News for End Users

When looking at the field, Google’s cybersecurity units split vulnerabilities into those targeting end-user technologies, from mobile devices to web browsers to operating systems, and enterprise technologies, including security software and appliances.

They saw particular progress on the end-user side, due in large part to security and mitigation investments that vendors like Apple, Google, and Microsoft are making. That includes Google in late 2022 releasing MiraclePtr to prevent hackers from abusing use-after-free bugs, a type of memory safety flaw, in Chrome. For the first time, there were no use-after-free bugs exploited in the wild in Chrome in 2023.

The researchers also pointed to Apple’s iOS Lockdown Mode, which “is also making attacker’s lives more difficult. If enabled, lockdown mode would have protected users from the majority of the exploitation chains discovered targeting iOS and attackers would not have been able to successfully compromise their targets.”

At the same time, bad actors are putting more emphasis on exploiting zero-day vulnerabilities in third-party components and libraries, which allows them to scale their attacks because they can affect multiple products with a single bug. In 2023, this was a favorite tactic across browsers.

Threat Groups Focusing on Enterprises

While there was good news for end users, there was an upswing in both the number and variety of zero-days targeting enterprises, they wrote. Thirty-six of the zero-day vulnerabilities being exploited targeted enterprise technologies, accounting for 37.1% of all zero days seen in 2023. In 2019, enterprises were the targets of 11.8% of such attacks.

Driving the increase was the heightened focus on cybersecurity software and appliances, including Barracuda’s Email Security Gateway, Cisco’s Adaptive Security Appliance, Ivanti’s Endpoint Manager Mobile and Sentry, and Trend Micro’s Apex One. In all, there were nine zero days affecting security technologies.

“Security software is a valuable target for attackers because it often runs on the edge of a network with high permissions and access,” the TAG and Mandiant researchers wrote. “By successfully exploiting such technologies, attackers can gain an initial foothold into a targeted organization for follow-on activity.”

They also pointed to the growing variety of vendors and products targeted over the past few years, which puts many vendors in “unfamiliar territory: learning how to respond to sophisticated attacks targeting their products in a timely and effective manner while simultaneously developing an effective patch that addresses the ways threat actors are weaponizing the vulnerability.”

Spyware, China are Threats

The Google researchers also noted that commercial surveillance vendors (CSVs) – those who make spyware, such as the high-profile NSO Group as well as others, like Cy4Gate, RCS Lab, and Intellexa – and those governments using their software accounted for half of the exploits linked to governments.

Spyware vendors – whose software is used by governments surveil and track such groups as journalists, dissidents, political opponents, and rights groups – have been a target of the Biden Administration and were the subject of a harsh report by Google that said CSVs “are enabling the proliferation of dangerous hacking tools. The harm is not hypothetical. Spyware vendors point to their tools’ legitimate use in law enforcement and counterterrorism. However, spyware deployed against journalists, human rights defenders, dissidents, and opposition party politicians – what Google refers to as ‘high risk users’ – has been well documented.”

Unsurprisingly, Chinese state-sponsored hackers were responsible for 12 of the zero-day exploitations last year – more than any other country – with the UNC3886 and UNC4841 threat groups accounting for five of them. The U.S. government has put a focus on China’s role in cyberespionage incidents and Google’s findings in the zero-day report lend support to that.

At the same time, a state-sponsored group called Winter Vivern from Belarus – and ally of Russia’s in the war in Ukraine – came on the scene with one zero-day exploitation, the first by time a Belarussian-linked group has been seen using zero-day vulnerabilities in their campaigns. It suggests “the group is growing in sophistication,” the researchers wrote, adding that the “activity primarily targeted government organizations that matched the strategic interests of Belarus and Russia.”