Getty Images/iStockphoto
Spyware vendors behind 75% of zero-days targeting Google
Google observed 97 zero-day vulnerabilities exploited in the wild last year, which was more than a 50% increase over the 62 exploited zero-day vulnerabilities tracked in 2022.
Listen to this article. This audio was generated by AI.
Commercial spyware vendors made a major impact on the threat landscape in 2023. A new Google report found that such entities were behind 75% of known zero-day exploits targeting Google products and Android devices last year.
This finding came from a report titled "We're All in this Together: A Year in Review of Zero-Days Exploited In-the-Wild in 2023," published Wednesday by Google's Threat Analysis Group (TAG) and Mandiant. The report covers findings and observations made by Google researchers related to zero-day vulnerabilities and exploits in 2023.
Google observed 97 zero-day vulnerabilities exploited in the wild last year, a steep increase from 2022 with 62 vulnerabilities exploited but not as high as 2021, which saw 106 vulnerabilities. Maddie Stone, Google TAG security engineer and co-author of the report, told TechTarget Editorial the totals are influenced by both positive and negative security factors.
"In 2023, we saw these attackers were forced to switch back to zero-days. We also saw both researchers and vendors discovering and disclosing in-the-wild zero-days more quickly and often, further increasing the volume in 2023," she said. "However, we saw a wider variety of products being targeted in 2023, especially in the enterprise space. This is good for security because attackers have to use more zero-day exploits to achieve their goals but also increases the attack surface of victims as more vendors and technologies are now at risk of exploitation than ever before."
One of the more notable points of the report involved commercial surveillance vendors (CSVs), which are companies that sell spyware to entities such as governments; well-known examples of these include NSO Group, Intellexa and Cy4Gate. Although Google put the spotlight on commercial spyware vendors in another Google TAG report last month, Tuesday's research provides additional context regarding their activity.
According to the report, 75% of all known zero-day exploits targeting Google products and the Android ecosystem (13 out of 17) and 55% of all iOS and Safari zero-days (11 out of 20) came from CSVs. Meanwhile, of the 37 zero-day flaws Google tracked affecting browsers and mobile devices, over 60% were attributed to spyware vendors.
"The commercial surveillance industry has emerged to fill a lucrative market niche: selling cutting edge technology to governments around the world that exploit vulnerabilities in consumer devices and applications to surreptitiously install spyware on individuals' devices," the report read. "By doing so, CSVs are enabling the proliferation of dangerous hacking tools."
Asked whether CSVs should be viewed as legitimate commercial enterprises or as threat actors, Stone said the latter.
"CSVs offer turn-key espionage solutions, bundling an exploit chain designed to get past security measures with the spyware and necessary infrastructure," she said. "CSVs are enabling the proliferation of dangerous hacking tools and the harm these tools have caused has been well-documented. As threat actors, CSVs pose a threat to Google users, as more than half of the known in-the-wild zero-days targeting Google products in 2023 can be attributed to CSVs."
As for other threat actors, Google said the Chinese nation-state cyber espionage groups were behind the exploitation of 12 zero-days in 2023, up from nine zero days the previous year. Financially motivated threat actors, meanwhile, were responsible for 10 zero-day exploitations in 2023, which marked a slight decrease from the year before.
Additional risks and silver linings
Google called vulnerabilities in third-party components and libraries a "prime attack surface" last year, noting a year-over-year increase in exploitation. "Vulnerabilities in third-party components tend to be higher value and more useful than vulnerabilities in the product's first party code because they can affect more than just one product," the report read.
For example, Google assessed with high confidence that a Chrome bug tracked as CVE-2023-4863 and Apple ImageIO flaw tracked as CVE-2023-41064 "are actually the same bug" that affected Android and Firefox. Similarly, a buffer overflow flaw in video codec library Libvpx, tracked as CVE-2023-5217, impacted Android, Chrome, Firefox and iOS.
James Sadowski, Mandiant principal analyst at Google Cloud, said the rise in third-party component bugs was informed in part by browsers fortifying their first-party code over the past two years.
"In 2022 and 2023, we saw the major browsers releasing additional exploit mitigations and defenses. This makes looking at third-party code, rather than the browser's first-party code, more appealing," Sadowski said. "Also, finding a bug in a third-party component can mean that a single exploit can work on multiple browsers."
On a positive note, vendor mitigations are making a difference, according to Google. The tech giant noted enhancements such as iOS's Lockdown Mode as well as Chrome and Safari's new JavaScript-focused mitigations.
"Vendor investments in exploit mitigations are having a clear impact on the types of bugs attackers are able to exploit in-the-wild," the report read. "Notable advancements include Google's MiraclePtr preventing exploitation of use-after-free vulnerabilities in Chrome and Apple introducing Lockdown mode for iOS, which successfully prevents exploitation of many exploit chains used in-the-wild."
Google researchers were also optimistic about Arm's Memory Tagging Extension for its CPUs, which debuted in October with the release of Google's Pixel 8 mobile handset in October. The report noted that such features and investments are particularly beneficial to "high-risk users" that might be targeted by spyware vendors and nation-state cyberespionage groups.
"This demonstrates how these investments are making a real impact on the safety of users and forcing attackers to spend the time to research new attack surfaces and find new bug patterns," the report read. "We hope to see the continued investment as well as other products and vendors following this lead as well."
Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.