Enterprise-specific zero-day exploits on the rise, Google warns

Zero-day vulnerabilities may have declined in 2024, but the number of flaws in enterprise products that didn’t have a patch at the time of exploitation is increasing, highlighting the increased focused attackers have in exploiting enterprise software and devices to achieve initial access to corporate networks.

“While the historic focus on the exploitation of popular end-user technologies and their users continues, the shift toward increased targeting of enterprise-focused products will require a wider and more diverse set of vendors to increase proactive security measures in order to reduce future zero-day exploitation attempts,” researchers from Google’s Threat Intelligence Group (GTIG) wrote in their annual zero-day report.

GTIG tracked a total of 75 zero-day vulnerabilities in 2024 compared to 98 in 2023. Of the identified zero-day flaws, 33 targeted enterprise technologies (44%), a 7% increase over 2023, primarily fueled by increased exploitation of security and networking appliances.

The remaining 42 zero-days that Google categorized as impacting end-user products are vulnerabilities in operating systems and browsers, which also impact enterprises.

Browser and mobile zero-days declining

Microsoft Windows saw the biggest increase in zero-day exploitation last year with 22 flaws compared to 16 in 2023. Android saw exploitation of seven zero-day flaws, on par with 2023, while iOS zero days dropped significantly from nine to two.

On the browser front, Google Chrome was targeted through seven unpatched vulnerabilities, Mozilla Firefox through one, and Apple’s Safari with three (down from 11 in 2023).

Because of added security layers on mobile devices such as application sandboxing, exploitation usually requires chaining multiple vulnerabilities together to achieve remote code execution with elevated privileges. Mobile devices, including mobile browsers, are particularly targeted by commercial surveillance vendors (CSVs) who sell their products to governments and intelligence agencies. These customers typically seek to obtain information from their surveillance targets’ mobile phones, either remotely or through physical access.

One example is an exploit chain that combined three vulnerabilities to unlock the seized Android phone of a student activist in Serbia last year with a product developed by Cellebrite, an Israeli digital forensics company. One of the vulnerabilities used in the chain, CVE-2024-53104, affects the Android USB Video Class (UVC) kernel driver and was patched in February. The other two vulnerabilities, CVE-2024-53197 and CVE-2024-50302, were patched in the Linux kernel, which Android is based on.

“While we still expect government-backed actors to continue their historic role as major players in zero-day exploitation, CSVs now contribute a significant volume of zero-day exploitation,” the Google GTIG researchers said. “Although the total count and proportion of zero-days attributed to CSVs declined from 2023 to 2024, likely in part due to their increased emphasis on operational security practices, the 2024 count is still substantially higher than the count from 2022 and years prior.”

Surge in network edge device exploitation

Of the 33 zero-day vulnerabilities in enterprise-specific products, 20 targeted hardware appliances typically located at the network edge, such as VPNs, security gateways, and firewalls. Notable targets last year included Ivanti Cloud Services Appliance, Palo Alto Networks’ PAN-OS, Cisco Adaptive Security Appliance, and Ivanti Connect Secure VPN.

Targeted attacks against these network edge devices were one of a several key zero-day exploitation trends for 2024.

In fact, with a total of seven zero-days exploited in its products last year, Ivanti became the third most targeted vendor, after Microsoft and Google and ahead of Apple, which held the third spot in previous years.

There are several reasons why these products are attractive targets, aside from direct access from the internet in many cases. First, they are designed to connect various devices and users with high privileges. As such, they provide a great opportunity to perform lateral movement inside a network.

Secondly, these appliances run embedded operating systems so security teams can’t deploy their usual endpoint detection and response tools on them. This lack of visibility means that a compromise of such a device can go undiscovered for a long time.

Finally, according to GTIG, achieving remote code execution or privilege escalation on these devices is generally easier and doesn’t require complex exploit chains. As a result, attacks get more value from individual vulnerabilities, with less effort involved to develop working exploits.

The rise in network perimeter device exploitation was also observed by Google’s Mandiant division, which specializes in incident response investigations. In its own annual report, Mandiant noted that vulnerability exploits remained the top initial access method in 2024 and vulnerabilities in security and networking appliances were at the top of the list of exploited flaws.

Goals and motivations behind zero-day exploitation

Cyberespionage groups were responsible for the largest number of zero-days last year (17), with Chinese groups responsible for five, North Korea for five, Russia for one, and South Korea for one. North Korea is a special case because its APT groups engage in both cyberespionage and financially motivated crimes to fund the regime. Another two zero-day flaws were attributed to Russian groups that are not state affiliated but also engage in both financial crimes and cyberespionage.

Three zero days were used in cyberespionage attacks that did not tip sufficient information about the location of the attackers. CSVs were responsible for eight zero days, followed by non-state-backed financially motivated groups with five.

“We attributed the exploitation of 34 zero-day vulnerabilities in 2024, just under half of the total 75 we identified in 2024,” the GTIG researchers wrote. “While the proportion of exploitation that we could attribute to a threat actor dipped slightly from our analysis of zero-days in 2023, it is still significantly higher than the ~30% we attributed in 2022.”

As far as the types of flaws goes, the most common source for vulnerabilities were use-after-free memory issues (8), followed by OS command injection (8), and cross-site scripting (XSS) issues (6). Command and code injections weaknesses were almost exclusively encountered on network and security appliances and software. Remote code execution and privilege escalation were the most common impacts of the zero-day flaws identified in 2024.

“Defending against zero-day exploitation continues to be a race of strategy and prioritization,” the GTIG team said. “Not only are zero-day vulnerabilities becoming easier to procure, but attackers finding use in new types of technology may strain less experienced vendors. While organizations have historically been left to prioritize patching processes based on personal or organizational threats and attack surfaces, broader trends can inform a more specific approach alongside lessons learned from major vendors’ mitigation efforts.”