44% of the zero-days exploited in 2024 were in enterprise solutions

In 2024, threat actors exploited 75 zero-days – i.e., vulnerabilities previously unknown to vendors, thus without a readily available patch – in a wide variety of attacks.

Of these, 33 vulnerabilities (44%) affected enterprise solutions, which is up from 37% in 2023, according to Google Threat Intelligence Group researchers.

“Zero-day vulnerabilities in security software and appliances were a high-value target in 2024. We identified 20 security and networking vulnerabilities, which was over 60% of all zero-day exploitation of enterprise technologies,” they noted.

“Exploitation of these products, compared to end-user technologies, can more effectively and efficiently lead to extensive system and network compromises, and we anticipate adversaries will continue to increase their focus on these technologies.”

Interesting findings

Google Threat Intelligence Group has released its yearly analysis of the zero-day vulnerabilities exploited in the past year, and has pinpointed a number of interesting trends in the user-end technology side:

• Zero-day exploitation of browsers and mobile devices fell drastically, when compared with 2023 numbers: 17 to 11 for browsers, and 17 to 9 for mobile.
• Exploit chains consisting of multiple zero-days are almost exlusively aimed at targeting mobile users
• There has been a marked decrease of exploitation of vulnerabilities in Apple’s Safari browser and iOS mobile OS

Source: GTIG

On the enterprise-focused technology side, it’s notable that attackers targeted vulnerabilities in solutions by 18 unique vendors (out of 20 in total).

“The vendors affected by multiple 2024 zero-day vulnerabilities generally fell into two categories: big tech (Microsoft, Google, and Apple) and vendors who supply security and network-focused products,” they determined.

“As expected, big tech took the top two spots, with Microsoft at 26 and Google at 11. Apple slid to the fourth most frequently exploited vendor this year, with detected exploitation of only five zero-days. Ivanti was third most frequently targeted with seven zero-days, reflecting increased threat actor focus on networking and security products.”

Ivanti’s rise on the list is partly due to an increase of exploitation of security and network technologies by threat actors backed by the People’s Republic of China.

“Security and network tools and devices are designed to connect widespread systems and devices with high permissions required to manage the products and their services, making them highly valuable targets for threat actors seeking efficient access into enterprise networks,” the researchers explained.

“Endpoint detection and response (EDR) tools are not usually equipped to work on these products, limiting available capabilities to monitor them. Additionally, exploit chains are not generally required to exploit these systems, giving extensive power to individual vulnerabilities that can single-handedly achieve remote code execution or privilege escalation.”

And while state-sponsored hackers concentrated on exploiting zero-days in firewalls, VPN and security appliances, financially motivated groups concentrated on hitting vulnerable managed file transfer products (e.g., by Cleo).

As expected, commercial spyware vendors continued leverage zero-days. “In 2024, we observed multiple exploitation chains using zero-days developed by forensic vendors that required physical access to a device (CVE-2024-53104, CVE-2024-32896, CVE-2024-29745, CVE-2024-29748). These bugs allow attackers to unlock the targeted mobile device with custom malicious USB devices,” the researchers noted.

Advice for vendors

The most frequent types of zero-day vulnerabilities exploited in 2024 were use-after-free, command/code injection, and cross-site scripting vulnerabilities, and these can be prevented by prioritizing higher coding standards and preventative practices such as regular code reviews, refactoring outdated codebases, and relying on up-to-date, trusted libraries, the researchers noted.

Newly targeted vendors and vendors of enterprise products that are being increasingly targeted should improve their security practices and procedures, shore up protection mechanisms, and consider addressing gaps in configurations and architectural decisions that could permit exploitation.

“We continue to see the same types of vulnerabilities exploited over time, indicating patterns in what weaknesses attackers seek out and find most beneficial to exploit. Continued existence and exploitation of similar issues makes zero-days easier; threat actors know what to look for and where exploitable weaknesses are most pervasive,” they added.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!