Attackers are alarmingly improving in exploiting zero-day vulnerabilities, says Google Mandiant.
The improvement in detection tools has pushed hackers to act more quickly.
The use of zero-day vulnerabilities, which are exploited before developers have had a chance to release a patch, is on the rise. A recent report from cybersecurity researchers at Mandiant, part of Google, highlights this trend as concerning. The analysis covered 138 exploited vulnerabilities that were disclosed in 2023, of which 70% were determined to be used as zero-days, while 30% were considered as day n.
Previous years showed a more balanced ratio, with approximately 60% of exploitation being zero-days and 40% day n. This indicates that criminals are increasingly relying on zero-day vulnerabilities. According to the researchers, "while we had already observed a trend in the rise of zero-day usage, 2023 demonstrated an even greater discrepancy, with zero-day exploitation significantly outpacing that of day n."
In addition to the increase in numbers, the average time to exploit these vulnerabilities has decreased, indicating that attackers are capitalizing on these flaws faster than ever. Two years ago, the average time was 32 days, while last year it was reduced to just five days, meaning that vulnerabilities are being attacked almost immediately.
However, there is a positive aspect to this research: Mandiant notes that organizations have improved in detecting zero-day vulnerabilities, which has contributed to the reported increases. It is feasible that in previous years, a larger proportion of these attacks went unnoticed. Companies have also optimized their patching processes, carrying them out more quickly and frequently, which has compelled hackers to act more swiftly, resulting in a shorter exploitation time.
Looking forward, Mandiant anticipates that the trend of zero-day exploitation will continue to grow, especially with improved detection tools. These vulnerabilities will remain a highly coveted method for threat actors, as they offer a critical attack window before patches can be applied. If this trend persists, it is likely that the exploitation time will continue to decrease.
