In what’s potentially a window into how Google and Mandiant could complement one another if the acquisition gets approved, two separate blogs in the past week from Mandiant Threat Intelligence and Google's Project Zero security team identified a significant jump last year in zero-day vulnerabilities that threat actors exploited before a patch became available.
Mandiant counted a total of 80 zero-days in 2021, while Google identified 58 zero-days that were exploited in-the-wild. Mandiant’s finding was double the record they tracked in 2019, while Google’s number was double the record number of zero-days it found in 2015.
In a blog post, Mandiant researchers said state-sponsored groups are the primary actors exploiting zero-day vulnerabilities, led by Chinese threat groups. The researchers said nearly 1 in 3 identified actors exploiting zero-days in 2021 were financially motivated. These threat actors exploited zero-days in Microsoft, Apple and Google products most frequently.
Google’s Project Zero said in a blog post that 67% of the in-the-wild zero-days were memory corruption vulnerabilities, which the researchers say have been the standard for attacking software for the last few decades, and how attackers are having success.
In response to the increase in zero-day exploitation, StackHawk co-founder and CSO Scott Gerlach said engineering organizations need to react quickly and efficiently when new zero-day issues are discovered. However, Gerlach said testing periodically with quarterly or annual penetration tests to see if new zero-days impact code introduces completely unnecessary risk.
“Penetration tests to find weaknesses in your software are great ideas, but they are hyper-inefficient for understanding if you are using a library that has been compromised by a zero-day, or if you have written in a zero-day type vulnerability into your proprietary code,” Gerlach said. “The most efficient way to make sure third-party libraries are protected from zero-days are to use modern tools that look for common vulnerabilities and exposures (CVEs) during development. The most efficient way to protect proprietary code developed by your team is to test for vulnerabilities every time code is checked in.”
Bud Broomhead, CEO at Viakoo, said the threat actors are shifting their attack vectors away from vulnerabilities that traditional threat assessment and detection solutions would uncover. Broomhead said that’s why along with zero-day threats, the exploitation of IoT vulnerabilities and threat actors leveraging open source software are rapidly growing enterprise threats.
“Many organizations outside of IT manage devices that are susceptible to zero-day attacks, such as IoT devices traditionally managed by manufacturing, facilities and other lines of business,” Broomhead said. “Providing those organizations with the tools, budget, and training to secure the devices they manage is critical to stopping fast-growing attack vectors like zero-days.”
