Mandiant found 55 zero-day vulnerabilities exploited during the year. While this represents a significant drop from 2021 (81), it is still three times the number exploited in 2020. Zero-day vulnerabilities are previously unknown flaws in software and other IT products. Malicious actors often exploit these vulnerabilities to access a victim’s network and carry out cyber espionage or financially motivated schemes, such as ransomware attacks. Threat actors targeted computer operating systems the most (19), followed by browsers (11), security, IT, and network management products (10), and mobile operating systems (6). Apple and Google joined Microsoft as the most targeted vendors in 2022, a trend that continued from previous years. Mandiant said that these companies remain top targets due to their array of popular products and services, which grant wide access to threat actors. “We also observed more unique vendors or niche products that were targeted, which may indicate a focus by some threat actors on those systems based on specific targets or victims of interest, and those technologies being a particularly useful attack vector in those specific cases,” the firm said in its blog.
Cyber Espionage Groups Exploited 13 Discovered Vulnerabilities
Mandiant said cyber-espionage groups exploited at least 13 zero-days, adding that Chinese cyber-espionage groups were the most active in exploiting these vulnerabilities. In March 2022, Mandiant identified suspected Chinese actors targeting a vulnerability in a Microsoft Diagnostics Tool called Follina. The flaw could potentially grant actors the ability to execute arbitrary code. “The vulnerability is exploited primarily through convincing users to open Word documents; it can also be exploited through other vectors that process URLs. We observed at least three separate activity sets exploit Follina as a zero-day in support of operations against public and private organizations in three distinct regions,” Mandiant stated. It also found that North Korean actors exploited two known vulnerabilities. One cluster of malicious activity targeted organizations in the media, tech, and financial sectors by exploiting a Google Chrome vulnerability. A second cluster, observed in November 2022, targeted the South Korean tech sector. The campaign involved the use of spear-phishing emails containing malicious attachments to exploit a Microsoft Windows Server zero-day vulnerability.
Financially Motivated Zero-Day Activity Declined in 2022
Mandiant found that financially motivated threat actors exploited four zero-day vulnerabilities in 2022. While this represents a decline from 2021, Mandiant warned that zero-day exploits remain popular among threat actors. Furthermore, operators of some of the most prolific ransomware groups in years prior were based in Russia or Ukraine. Therefore, the Russian invasion of its neighbor in early 2022 may have affected these operations. “We anticipate that the longer term trendline for zero-day exploitation will continue to rise, with some fluctuation from year to year. Attackers seek stealth and ease of exploitation, both of which zero-days can provide,” Mandiant said. “While the discovery of zero-day vulnerabilities is a resource-intensive endeavor and successful exploitation is not guaranteed, the total number of vulnerabilities disclosed and exploited has continued to grow, the types of targeted software, including Internet of Things (IoT) devices and cloud solutions, continue to evolve, and the variety of actors exploiting them has expanded,” it added. Every business, regardless of size, requires an online presence in 2023. If you’re a small business owner, we recommend checking out our beginner’s guide to cybersecurity for some recommendations on how to keep your operations secure.