SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image

Zero-day hackers shift focus to enterprise tech in Google's report

Today

The Google Threat Intelligence Group (GTIG) has released a report detailing trends in zero-day vulnerability exploitation, showing an increasing focus on enterprise technologies in 2024.

According to GTIG's analysis, 75 zero-day vulnerabilities were actively exploited in the past year. This figure represents a decrease from the 98 observed in 2023 but remains higher than the 63 recorded in 2022, reflecting what the group describes as a four-year trend of gradual growth in zero-day exploits.

A zero-day vulnerability is a flaw in software that is exploited before the software vendor has issued a corrective patch. These vulnerabilities are especially valued by both nation-state actors and financially motivated cybercriminals because of the access and stealth they can provide to compromised systems.

The GTIG report, titled "Hello 0-Days, My Old Friend: A 2024 Zero-Day Exploitation Analysis," notes a significant shift toward targeting enterprise-focused technologies. Of all zero-days tracked in 2024, 44% were directed at technologies serving enterprises, including security software, network appliances, and business infrastructure tools. This proportion is an increase from 37% noted in 2023.

"Security and networking products are emerging as prime targets because of the far-reaching access they offer," the report states. GTIG further reports that of the 33 enterprise-focused vulnerabilities identified in 2024, 20 were in the security and networking category, including platforms provided by Ivanti, Palo Alto Networks, and Cisco.

While the actual number of exploited enterprise vulnerabilities saw a slight decrease year over year, the report highlights the growing emphasis attackers are placing on systems with expansive access and minimal monitoring, particularly in environments where endpoint detection solutions may be less effective.

The analysis also notes a decrease in zero-day attacks targeting browsers and mobile devices. Exploitation rates for browsers dropped by approximately one third, while those for mobile devices fell by around half. Despite these declines, attacks on the Chrome browser remained the most frequent among end-user platforms, and Android devices continued to be compromised primarily through vulnerabilities in third-party components.

Zero-day exploitation on Microsoft Windows continued a three-year increasing trend, rising to 22 recorded zero-days in 2024 compared to 16 in 2023 and 13 in 2022. GTIG suggests that Windows is likely to remain a major target given its widespread use in both domestic and professional settings.

Of the 75 zero-days tracked, GTIG attributed 34 to specific threat actors. More than half of these attributions—covering 18 vulnerabilities—were linked to espionage operations, driven either by nation-state groups or clients of commercial surveillance vendors (CSVs). Five exploits were associated with groups backed by China, overwhelmingly focused on security and network devices. North Korean threat actors accounted for five exploits as well for the first time, targeting both espionage and financially motivated campaigns.

Commercial surveillance vendors such as Cellebrite were identified in zero-day exploitation chains involving forensic tools that require physical access to mobile devices. These cases have raised ongoing concerns about the potential misuse of commercial spyware technologies.

The report also highlights activity by financially motivated actors. Notably, groups resembling the suspected FIN11 cluster were identified as using zero-days in attacks on enterprise file transfer systems to facilitate data theft and extortion operations.

GTIG's findings indicate that fewer attacks on some traditionally popular targets in 2024 do not necessarily signal increased safety, but may instead reflect improved vendor defences in those areas, as well as a shift in attacker focus toward less protected enterprise technologies.

"Attackers continue to exploit well-known classes of vulnerabilities—such as command injection, use-after-free, and cross-site scripting—highlighting the need for stronger coding standards and preventative practices," GTIG said.

With enterprise vendors featuring more prominently among targets, Google is calling for technology providers to review and strengthen their security practices, with particular attention to products serving as the infrastructure backbone of business environments.

The full technical analysis and guidance for defenders is available in the GTIG report, and a related webinar is planned to provide further insight into these developments.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X