State Actors Drive Record Number of Zero-Day Exploits in 2021

Written by

Last year saw more exploits of zero-day vulnerabilities than any other, with Chinese state-backed operatives leading the way, according to Mandiant.

The threat intelligence vendor recorded 80 zero-day bugs exploited in the wild in 2021, more than double the previous record of 32 in 2019. Microsoft, Apple and Google products accounted for three-quarters of them.

“We suggest that a number of factors contribute to growth in the quantity of zero-days exploited. For example, the continued move toward cloud hosting, mobile, and Internet of Things (IoT) technologies increases the volume and complexity of systems and devices connected to the internet – put simply, more software leads to more software flaws,” Mandiant explained.

“The expansion of the exploit broker marketplace also likely contributes to this growth, with more resources being shifted toward research and development of zero days, both by private companies and researchers, as well as threat groups. Finally, enhanced defenses also likely allow defenders to detect more zero-day exploitation now than in previous years, and more organizations have tightened security protocols to reduce compromises through other vectors.”

From 2012 to 2021, China has exploited more zero-days than any other country, and last year was no different, according to the report. Russia and North Korea were also mentioned as active last year.

Notable among these Chinese efforts were the four Exchange Server bugs known as ProxyLogon.

This dynamic will explain why the vast majority of zero-day exploits recorded by Mandiant last year were linked to espionage rather than financial attacks. However, there has also been an uptick in ransomware groups leveraging zero days since 2019.

“We suggest that significant campaigns based on zero-day exploitation are increasingly accessible to a wider variety of state-sponsored and financially motivated actors, including as a result of the proliferation of vendors selling exploits and sophisticated ransomware operations potentially developing custom exploits,” Mandiant concluded.

“The marked increase in exploitation of zero-day vulnerabilities, particularly in 2021, expands the risk portfolio for organizations in nearly every industry sector and geography.”

The news follows a Google assessment this week, which claimed a record number of zero-day exploits were detected in 2021. However, it added that this increase might be a result of researchers and vendors doing a better job of finding and disclosing them rather than threat actors using exploits more often.

What’s hot on Infosecurity Magazine?