Google has revealed that it observed 75 zero-day vulnerabilities exploited in the wild in 2024, down from 98 in 2023.
Of the 75 zero-days, 44% of them targeted enterprise products. As many as 20 flaws were identified in security software and appliances.
“Zero-day exploitation of browsers and mobile devices fell drastically, decreasing by about a third for browsers and by about half for mobile devices compared to what we observed last year,” the Google Threat Intelligence Group (GTIG) said in a report shared with The Hacker news.
“Exploit chains made up of multiple zero-day vulnerabilities continue to be almost exclusively (~90%) used to target mobile devices.”
While Microsoft Windows accounted for 22 of the zero-day flaws exploited in 2024, Apple’s Safari had three, iOS had two, Android had seven, Chrome had seven, and Mozilla Firefox had one flaw that were abused during the same period. Three of the seven zero-days exploited in Android were found in third-party components.
Among the exploited 33 zero-days in enterprise software and appliances, 20 of them targeted security and network products, such as those from Ivanti, Palo Alto Networks, and Cisco.
“Security and network tools and devices are designed to connect widespread systems and devices with high permissions required to manage the products and their services, making them highly valuable targets for threat actors seeking efficient access into enterprise networks,” GTIG researchers noted.
In all, a total of 18 unique enterprise vendors were targeted in 2024, in comparison to 12 in 2021, 17 in 2022, and 22 in 2023. The companies with the most targeted zero-days were Microsoft (26), Google (11), Ivanti (7), and Apple (5).
What’s more, the zero-day exploitation of 34 of the 75 flaws have been attributed to six broad threat activity clusters –
- State-sponsored espionage (10), led by China (5), Russia (1), and South Korea (1) (e.g., CVE-2023-46805, CVE-2024-21887)
- Commercial surveillance vendors (8) (e.g., CVE-2024-53104, CVE-2024-32896, CVE-2024-29745, CVE-2024-29748)
- Non-state financially motivated groups (5) (e.g., CVE-2024-55956)
- State-sponsored espionage and financially motivated groups (5), all from North Korea (e.g., CVE-2024-21338, CVE-2024-38178)
- Non-state financially motivated groups also conducting espionage (2), all from Russia (e.g. CVE-2024-9680, CVE-2024-49039)
Google said it discovered in November 2024 a malicious JavaScript inject on the website of the Diplomatic Academy of Ukraine (online.da.mfa.gov[.]ua), which triggered an exploit for CVE-2024-44308, resulting in arbitrary code execution.
This was then chained with CVE-2024-44309, a cookie management vulnerability in WebKit, to launch a cross-site scripting (XSS) attack and ultimately collect users’ cookies in order to unauthorized access to login.microsoftonline[.]com.
The tech giant further noted that it independently discovered an exploit chain for Firefox and Tor browsers that leveraged a combination of CVE-2024-9680 and CVE-2024-49039 to break out of the Firefox sandbox and execute malicious code with elevated privileges, thereby paving the way for the deployment of RomCom RAT.
The activity, previously flagged by ESET, has been attributed to a threat actor called RomCom (aka Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, and Void Rabisu). Google is tracking the dual financial- and espionage-motivated threat group under the name CIGAR.
Both the flaws are said to have been abused as a zero-day by another likely financially motivated hacking crew that used a legitimate, compromised cryptocurrency news website as a watering hole to redirect visitors to an attacker-controlled domain hosting the exploit chain.
“Zero-day exploitation continues to grow at a slow but steady pace. However, we’ve also started seeing vendors’ work to mitigate zero-day exploitation start to pay off,” Casey Charrier, Senior Analyst at GTIG, said in a statement shared with The Hacker News.
“For instance, we have observed fewer instances of zero-day exploitation targeting products that have been historically popular, likely due to efforts and resources many large vendors have invested in order to prevent exploitation.”
“At the same time, we’re seeing zero-day exploitation shift towards the increased targeting of enterprise-focused products, which requires a wider and more diverse set of vendors to increase proactive security measures. The future of zero-day exploitation will ultimately be dictated by vendors’ decisions and ability to counter threat actors’ objectives and pursuits.”
