Dive Brief:
- Exploits of zero-day vulnerabilities fell by almost a third in 2022, but it was still the second highest year on record, according to Mandiant research released Monday.
- Mandiant tracked 55 zero-day vulnerabilities that were exploited in 2022, including three instances linked to financially motivated ransomware threat actors.
- Products from the three largest vendors — Microsoft, Google and Apple — were the most commonly exploited for the third year in a row, according to Mandiant.
Dive Insight:
Threat actors continued to primarily search for zero-day vulnerabilities in the most widely used products.
Microsoft remained the most frequently impacted vendor, accounting for nearly one-third of all exploited zero-day vulnerabilities. Results were similar in 2021, according to Mandiant.
Google and Apple combined for 19 zero-days exploited in 2022, just one more than the 18 attributed to Microsoft alone. Microsoft did not immediately respond to a request for comment.
The number of zero-days exploited in unique or niche products grew, indicating a more targeted approach taken by some threat actors to focus on systems used by specific targets or victims, the report said.
More than 1 in 3 zero-days, which Mandiant defines as vulnerabilities exploited in the wild before a patch is publicly available, affected desktop operating systems last year. Browsers accounted for 1 in 5 and mobile operating systems claimed about 1 in 10, according to Mandiant.
At least 1 in 4 zero-day vulnerabilities exploited in 2021 and 2022 affected products not from the top three vendors, a reminder that organizations must still invest resources in defending other technologies.
“Network configuration contributes heavily to this risk calculus, as a less frequently targeted vendor or product uniquely or improperly configured could deliver outsize risk to that network,” James Sadowski, principal analyst at Mandiant, said via email.
Threat actors also targeted security, IT and network management products, which are consistently internet facing and less heavily monitored by organizations.
Zero-day vulnerabilities in these types of products claimed nearly 1 in 5 exploits last year and impacted products from Cisco, Fortinet, SolarWinds, Sophos, Trend Micro and Zoho, Mandiant research found.
Organizations that maintain a zero-trust approach to network design can reduce risk by limiting the extent to which threat actors can use zero-day vulnerabilities to pivot from initial access vectors, Sadowski said.
“Zero-days are most often used to gain more reliable and widespread access to a victim network, meaning the most effective preventative measures against these pervasive techniques will be those that limit evolving access,” Sadowski said. “This limits potential damage even from unidentified breaches.”
