In a recent report, Google disclosed its findings on the exploitation of 75 zero-day vulnerabilities throughout 2024, a decline from 98 detected in 2023 yet an increase from the previous year’s 63. Notably, 44% of these vulnerabilities primarily targeted enterprise products, with 20 affecting security software and appliances.
The Google Threat Intelligence Group (GTIG) highlighted that zero-day exploitation methods against browsers and mobile devices experienced significant decreases, dropping by roughly a third for browsers and nearly half for mobile devices compared to the prior year. However, exploit chains composed of multiple zero-day vulnerabilities remained prevalent, particularly in targeting mobile devices, accounting for nearly 90% of such incidents.
Among the vulnerable products, Microsoft Windows was associated with 22 of the 75 documented exploits. Other affected platforms included Apple’s Safari with three, iOS with two, Android with seven, Chrome with seven, and Mozilla Firefox with a solitary flaw. Notably, three out of the seven zero-days on Android were linked to third-party components.
Among the 33 zero-days affecting enterprise software and appliances, 20 targeted security and networking tools, notably from vendors like Ivanti, Palo Alto Networks, and Cisco. The GTIG stressed that these tools, designed for connecting diverse systems requiring high-level permissions, present enticing opportunities for threat actors seeking streamlined access into corporate networks.
In total, 18 unique vendors were affected in 2024, distinctly more than the 12 recorded in 2021 and comparable to 22 in 2023. Microsoft emerged as the most targeted vendor, with 26 zero-day exploits, followed by Google (11), Ivanti (7), and Apple (5).
Google defined zero-days as vulnerabilities actively exploited prior to the release of public patches, noting that state-sponsored cyber espionage continues to drive much of the exploitation reported. Specifically, the zero-day exploitation of 34 vulnerabilities could be traced to six major threat clusters, including state-sponsored groups primarily from China (5), Russia (1), and South Korea (1). Other techniques pointed to non-state actors motivated by financial gain.
In November 2024, Google uncovered a malicious JavaScript injection on the website of the Diplomatic Academy of Ukraine, which triggered an exploit for CVE-2024-44308, leading to arbitrary code execution. This was then connected with a WebKit vulnerability, CVE-2024-44309, facilitating a cross-site scripting (XSS) attack aimed at capturing user cookies for unauthorized access.
Additionally, Google identified an exploit chain targeting both Firefox and Tor browsers, combining CVE-2024-9680 and CVE-2024-49039 to breach Firefox’s sandbox and execute malicious code with elevated privileges. This activity has been linked to a financially motivated actor referred to as RomCom, classified under the dual motivations of financial gain and espionage, with Google tracking it as CIGAR.
Threat actors have reportedly utilized both vulnerabilities to establish a zero-day exploit by leveraging a compromised cryptocurrency news website as a watering hole, redirecting visitors to an attacker-controlled domain. Casey Charrier, a Senior Analyst at GTIG, remarked on the slow but steady rise of zero-day exploitation but acknowledged early signs of effective mitigations from vendors.
Charrier pointed out a decline in exploit instances targeting historically popular products, likely due to proactive measures taken by many major vendors to thwart such attempts. Nevertheless, there remains an alarming shift towards targeting enterprise-focused products, necessitating a broader array of vendors to enhance security protocols. Ultimately, the landscape of zero-day exploitation will evolve based on vendors’ decisions and their efficacy in countering these persistent threats.
