Dive Brief:
- In a report published Tuesday, Google said it saw hackers exploit fewer zero-day vulnerabilities in the wild in 2024 than in 2023.
- The company attributed the decrease to improvements in secure software development practices.
- Still, Google said it is seeing a “slow but steady” increase in the rate of zero-day exploitation over time.
Dive Insight:
Zero-day vulnerability exploitation represents one of several important metrics for assessing the software industry’s progress on baking security into its development practices. The new report from Google’s Threat Intelligence Group offered a mixture of good news and bad regarding the continuing menace of zero-day threats.
On the one hand, Google said that “vendor investments in exploit mitigations are having a clear impact on where threat actors are able to find success.” Zero-day exploits in internet browsers and mobile operating systems “fell drastically,” the company said, “decreasing by about a third for browsers and by about half for mobile devices compared to what we observed last year.”
On the other hand, cyber threat actors are quickly pivoting to the platforms that they believe will be more poorly maintained and less secured: those designed specifically for businesses, such as Ivanti’s Connect Secure VPN and Palo Alto Networks’ PAN-OS firewall. In 2024, 44% of zero-day exploits targeted enterprise platforms, compared with 37% in 2023. Vulnerabilities in security and networking platforms accounted for 60% of these enterprise exploits. Google researchers noted that “exploitation of these products, compared to end-user technologies, can more effectively and efficiently lead to extensive system and network compromises.”
The number of enterprise vendors whose products contained exploited zero-days dipped slightly from last year, but the three-year trend suggests a steady increase in the number of vendors with these vulnerabilities. Google also noted that enterprise vendors accounted for almost all of the companies with exploited zero-days in 2024 (18 out of 20), a similar proportion to the figure from 2023 (22 out of 23).
Government-backed cyber espionage operations accounted for the plurality (29%) of attributed zero-day exploitations in 2024, Google found, with spyware firms taking second place (23.5%), meaning that the two groups combined accounted for a majority of exploitations. For the first time, Google found as many incidents of North Korea exploiting zero-days as it did incidents of China doing so.
