In its latest threat landscape analysis, the Google Threat Intelligence Group (GTIG) reported a continued surge in the strategic use of zero-day vulnerabilities, but with a notable shift in targeting from consumer-facing software to enterprise-grade security and networking tools. The group tracked 75 zero-days exploited in the wild during 2024, a drop from 98 in 2023, but still significantly higher than pre-2021 levels.
“Zero-day exploitation continues to grow at a slow but steady pace,” the report explains. While major tech vendors like Microsoft and Google remained top targets, 2024 marked a shift as attackers increasingly focused on high-value enterprise systems that offer expansive access to internal networks.
According to GTIG, 33 of the 75 zero-days exploited last year targeted enterprise-specific technologies, particularly security and networking appliances. This accounted for 44% of all zero-day exploitation, a notable increase from 37% in 2023.
“Exploitation of these products… can more effectively and efficiently lead to extensive system and network compromises,” GTIG noted. Products from Ivanti, Palo Alto Networks, and Cisco were among the most commonly targeted.
Attackers favor these enterprise systems for their high privilege levels and limited visibility by traditional EDR tools, making successful exploitation both stealthy and impactful.
In contrast, GTIG observed a decline in zero-day exploitation across browsers and mobile devices:
- Browser zero-days dropped from 17 to 11
- Mobile zero-days fell by nearly half, from 17 to 9
- Safari and iOS saw the largest decreases in browser-related zero-day attacks
While Chrome remained the most exploited browser, GTIG attributed the overall decline to improved vendor security and exploit mitigations.
Espionage remains the leading motive behind zero-day usage. GTIG attributed over 50% of the cases to nation-state-backed groups and commercial surveillance vendors (CSVs). Notably:
- PRC (China) exploited five zero-days, all against security or networking appliances
- North Korean actors exploited five zero-days as well, including in Chrome and Windows AppLocker, blending espionage and financially motivated activity
- Commercial Surveillance Vendors used zero-days in USB-based Android exploits, reportedly tied to targeted attacks in Serbia
GTIG also pointed out that “CSVs continue to increase access to zero-day exploitation,” although they appear to be improving their operational security, reducing attribution rates.
The report includes an in-depth spotlight on CIGAR (also known as UNC4895 or RomCom), a threat actor that mixed financial and espionage motives. CIGAR deployed a zero-day chain against Firefox and Windows (CVE-2024-49039) that escalated privileges from low integrity to SYSTEM level via Windows RPC abuse.
“The exploit abused two distinct issues… allowing an unprivileged user to create and execute scheduled tasks as SYSTEM,” GTIG reported.
In one campaign, another unidentified actor was found using the same exploit chain against visitors of a compromised cryptocurrency news site, showing how high-value zero-days are quickly adopted by multiple groups.
Related Posts:
???? Support SecurityOnline.info
If this article helped you stay informed, please consider supporting us below.
