Google has revealed that it observed that 75-day zero-day vulnerability in 2024, down from 98 in 2023, was exploited in the wild.
Of the 75 zero-days, 44% target enterprise products. Up to 20 defects have been identified in the security software and appliance.
“The use of zero-day browsers and mobile devices has decreased dramatically, about a third of browsers and about half of mobile devices compared to what we observed last year,” Google Threat Intelligence Group (GTIG) said in a report shared with Hacker News.
“Exploit chains consisting of multiple zero-day vulnerabilities are used to target mobile devices (~90%) and almost exclusively (~90%).”
Microsoft Windows accounted for 22 of the zero-day flaws that were exploited in 2024, but Apple’s Safari had three, two iOS, seven for Android, seven for Chrome, and one for Mozilla Firefox in the same period. Three of the seven zero-days exploited on Android were found in third-party components.
Of the exploitation of 33 zero-days in enterprise software and appliances, 20 of them target security and networking products such as Ivanti, Palo Alto Networks and Cisco.
“Security and network tools and devices are designed to connect a wide range of systems and devices with the high authority required to manage products and their services, making them a highly valuable target for threat actors seeking efficient access to their enterprise networks,” says GTIG researchers.
In total, a total of 18 unique enterprise vendors targeted, compared with 12 in 2024 and 17 in 2022. The most targeted zero-day companies were Microsoft (26), Google (11), Ivanti (7), and Apple (5).
Furthermore, 34 of the 75 defects zero-day exploitation is attributed to six broad threat activity clusters –
State-sponsored spies led by China (5), Russia (1), and South Korea (1) (10) (e.g. CVE-2023-46805, CVE-2024-21887) Commercial surveillance vendors (8) CVE-2024-29748) Non-state-motivated groups (5) (e.g. CVE-2024-55956) State-sponsored spy and financially motivated groups (5), all from North Korea (e.g. CVE-2024-21338, CVE-2024-38178). CVE-2024-9680, CVE-2024-49039)
Google discovered that malicious JavaScript was injected into the Ukrainian Academy of Diplomacy website in November 2024 (Online.da.mfa.gov[.]UA) triggered an exploit for CVE-2024-44308, resulting in arbitrary code execution.
This should be chained with CVE-2024-44309, a cookie management vulnerability in WebKit, launching a cross-site scripting (XSS) attack, and ultimately collecting user cookies and allowing access to login.microsoftonline.[.]com.
Tech Giant further noted that he independently discovered a Firefox and TOR browser exploiting the combination of CVE-2024-9680 and CVE-2024-49039 to split the Firefox sandbox and to run malicious code on the rising Primiciges.
Activities previously flagged by ESET are attributed to a threat actor called Romcom (aka Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, and Void Rabisu). Google, under the name Cigar, tracks dual financial and espionage threat groups.
Both flaws are allegedly abused as zero-day by another financially motivated hacking crew who used a legitimate and infringed cryptocurrency news website to redirect domains controlled by attackers to the domains hosting the exploit chain.
“Zero-Day Exploitation continues to grow at a slow, stable pace. But we have begun to see vendors’ work to alleviate zero-Day Exploitation that is rewarding,” he said in a statement shared with GTIG senior analyst Hacker News.
“For example, there are fewer cases of zero-day exploitation targeting products that have probably become popular historically due to the efforts and resources that many major vendors have invested in to prevent exploitation.”
“At the same time, we see a zero-day exploitation shift towards increasing targeting of enterprise-centric products, which requires a broader and diverse set of vendors to promote aggressive security measures. The future of zero-day exploitation will ultimately be determined by the vendor’s decision-making and the targeting and targeting capabilities of threat actors.
Source link
