Previously unknown “zero-day” software vulnerabilities are mysterious and intriguing as a concept. But they’re even more remarkable when hackers are spotted actively taking advantage of the new software bugs in the wild before anyone else knows about them. As researchers have expanded their focus to detect and study more of this exploitation, they are seeing it more often. Two reports this week from threat intelligence firm Mandiant and Google’s bug-hunting team, Project Zero, aim to provide insight into exactly how much zero-day exploitation has grown in recent years.
Mandiant and Project Zero each have different scopes for the types of zero-days they track. For example, Project Zero does not currently focus on analyzing flaws in Internet-of-things devices that are exploited in the wild. As a result, the absolute numbers in the two reports are not directly comparable, but both teams tracked a record number of zero-days operated in 2021. Mandiant followed 80 last year compared to 30 in 2020, and Project Zero followed 58 in 2021 compared to 25 the year before. The key question for both teams, however, is how to put their findings into context, as no one can see the full scale of this clandestine activity.
“We started to see a spike in early 2021, and a lot of the questions I got throughout the year were, ‘What the hell is going on?!’,” said Maddie Stone, a security researcher at Project Zero. “My first reaction was, ‘Oh my god, there’s so much.’ But when I stepped back and looked at it in the context of previous years, to see such a big jump, that growth is actually more likely due to increased detection, transparency and public knowledge about zero-days.”
Before a software vulnerability is made public, it is referred to as a “zero-day” because there are zero days in which the software maker could have developed and release a patch, and zero days for defenders to monitor the vulnerability. The hacking tools that attackers use to take advantage of such vulnerabilities are, in turn, known as zero-day exploits. Once a bug is publicly known, a fix may not be released immediately (if ever), but attackers will be told their activity can be detected or the hole can be closed at any time. As a result, zero-days are highly sought after and big business for both criminals and, in particular, government-backed hackers who want to run both mass campaigns and custom, individual targeting.
Zero-day vulnerabilities and exploits are generally considered unusual and rare hacking tools, but governments have repeatedly demonstrated that they are building zero-days, and increased detection has shown how often attackers deploy them. In the past three years, tech giants such as Microsoft, Google, and Apple have begun to normalize when they reveal and fix a vulnerability that was exploited before the patch was released.