In 2022, a total of 55 zero-day vulnerabilities were actively exploited in the wild, primarily affecting software developed by major tech companies including Microsoft, Google, and Apple. This figure shows a decrease from the previous year’s alarming count of 81 zero-day exploits, yet it highlights an ongoing trend where threat actors increasingly leverage undisclosed security flaws to breach systems.
The data comes from Mandiant, a noted threat intelligence firm, which categorized the most targeted types of products. These included 19 desktop operating systems, 11 web browsers, 10 IT and network management tools, and six mobile operating systems. Among the 55 zero-day vulnerabilities identified, it is estimated that 13 were exploited by cyber espionage groups, while four others were used by financially motivated attackers, particularly in ransomware incidents. Furthermore, three zero-days were linked to commercial spyware vendors.
Notably, state-sponsored groups from China have emerged as the most active perpetrators, exploiting a total of seven vulnerabilities throughout the year. Specific vulnerabilities attributed to their activities include CVE-2022-24682, CVE-2022-1040, CVE-2022-30190, CVE-2022-26134, CVE-2022-42475, CVE-2022-27518, and CVE-2022-41328. The focus of these attacks has been largely on vulnerabilities in network edge devices, like firewalls, for gaining initial access. Mandiant suggested that distinct campaigns might indicate that the zero-day knowledge is being distributed among various Chinese espionage clusters through organized digital channels.
In contrast, North Korean and Russian threat actors were linked to two zero-days each, including CVE-2022-0609 and CVE-2022-41128. Such exploitation of vulnerabilities exemplifies a growing trend where attackers are swiftly converting newly disclosed vulnerabilities into effective exploits against diverse targets globally. Mandiant has noted that the proliferation of zero-day vulnerabilities has put increasing pressure on security resources, while the spectrum of targeted software ranges from Internet of Things (IoT) devices to cloud solutions.
The report by Mandiant coincides with alerts from Microsoft regarding escalating cyber threats from Russia, particularly as the conflict in Ukraine persists. Microsoft’s Digital Threat Analysis Center has observed a strategic adjustment in Russian cyber operations aimed at enhancing their destructive and intelligence-gathering capabilities against Ukrainian targets and their allies. These Russian cyber threat activities have involved deploying multiple ransomware and wiper families against over 100 Ukrainian entities and conducting espionage campaigns targeting 17 European nations between January and mid-February 2023.
The tactics observed correlate with the MITRE ATT&CK framework, suggesting the use of techniques like initial access via compromised software or services, persistence methods through malware installation, and privilege escalation to execute attacks. The integration of real and fictitious hacktivist groups to widen Moscow’s cyber influence has been a notable characteristic of their operations, further complicating the cybersecurity landscape.
As organizations navigate this dynamic cyber threat environment, understanding the strategies and techniques outlined by frameworks like MITRE ATT&CK becomes crucial. The ongoing evolution of defenses and strategies against these vulnerabilities will be imperative for business owners who aim to safeguard their systems and data against increasingly sophisticated cyber threats.