New research from Mandiant shows the explosive growth in zero-day exploits, with more zero-days exploited in attacks in 2021 than in the three previous years combined.

The generally accepted definition of a zero-day is: a security vulnerability that is exploited in the wild before a patch was made publicly available.  (Microsoft has a slightly different definition – for them a vulnerability which has no patch available is considered a zero-day as soon as it is publicly disclosed, even if there is no evidence of exploitation yet).

The research from Mandiant, which focuses on zero-days which were seen to be exploited in the wild, reveals the following:

• 1 in 3 malicious actors exploiting zero-days are financially motivated (eg ransomware operators) – but the majority are state sponsored actors with Chinese actors in the majority. (Note this research covers 2021 so excludes the recent effects of the war in Ukraine)
• The most targeted vendors in 2021 were Microsoft, Apple and Google, accounting for 75% of all exploited zero-days between them in roughly equal proportion.
• Organisations should not only consider the CVSS (risk ranking) of a vulnerability when creating a patching plan for their network – whether or not a vulnerability has been seen to be under active attack should also influence its priority for patching.

Malicious actors continue to leverage known vulnerabilities after patches are available, because many organisations fail to apply the patches promptly – or even at all – while the window of time between disclosure and attempted exploit continues to shrink.  CISA’s catalogue of known exploited vulnerabilities continues to grow each month.

While zero-days often attract the headlines in the security industry press, they are only part of the risk landscape that organisations face today.  A robust network perimeter, active monitoring, up to date patching and a proven incident response plan all play an important part in keeping your networks secure.