In 2022, more than 40% of zero-day exploits used in the wild were variations of previous issues

Google’s Threat Analysis Group Google states that more than 40% of zero-day flaws discovered in 2022 were variants of previous issues.

The popular Threat Analysis Group (TAG) Maddie Stone wrote Google’s fourth annual year-in-review of zero-day flaws exploited in-the-wild [2021, 2020, 2019], it is built off of the mid-year 2022 review.

In 2022, the researchers disclosed 41 actively exploited zero-day flaws, which marks the second-most ever recorded since we began tracking in mid-2014. In 2021 the number of zero-days discovered by the researchers were 69 detected. 

zero-day

The number of zero-day vulnerabilities actively exploited in the wild dropped also due 0-click exploits and new browser mitigations implemented by software vendors.

“Many attackers have been moving towards 0-click rather than 1-click exploits. 0-clicks usually target components other than the browser. In addition, all major browsers also implemented new defenses that make exploiting a vulnerability more difficult and could have influenced attackers moving to other attack surfaces.” reads the report published by Google TAG.

However, the researchers pointed out that the 40% drop is not only caused by improved security of software and hardware vendors.

One of the most interesting data that emerged from the report is that over 40% of the 0-days discovered were variants of previously reported vulnerabilities. Below is the list of zero-day flaws that were variants of previously reported bugs:

Product 2022 ITW CVE Variant
Windows win32k CVE-2022-21882 CVE-2021-1732 (2021 itw)
iOS IOMobileFrameBuffer CVE-2022-22587 CVE-2021-30983 (2021 itw)
WebKit “Zombie” CVE-2022-22620 Bug was originally fixed in 2013, patch was regressed in 2016
Firefox WebGPU IPC CVE-2022-26485 Fuzzing crash fixed in 2021
Android in ARM Mali GPU CVE-2021-39793 CVE-2022-22706 CVE-2021-28664 (2021 itw)
Sophos Firewall CVE-2022-1040 CVE-2020-12271 (2020 itw)
Chromium v8 CVE-2022-1096 CVE-2021-30551 (2021 itw)
Chromium CVE-2022-1364 CVE-2021-21195
Windows “PetitPotam” CVE-2022-26925 CVE-2021-36942 – Patch was regressed
Windows “Follina” CVE-2022-30190 CVE-2021-40444 (2021 itw)
Atlassian Confluence CVE-2022-26134 CVE-2021-26084 (2021 itw)
Chromium Intents CVE-2022-2856 CVE-2021-38000 (2021 itw)
Exchange SSRF “ProxyNotShell” CVE-2022-41040 CVE-2021-34473  “ProxyShell”
Exchange RCE “ProxyNotShell” CVE-2022-41082 CVE-2023-21529 “ProxyShell”
Internet Explorer JScript9 CVE-2022-41128 CVE-2021-34480
Windows “Print Spooler” CVE-2022-41073 CVE-2022-37987
WebKit JSC CVE-2022-42856 2016 bug discovered due to test failure

17 out of the 41 actively exploited zero-days from 2022 are variants of previously reported vulnerabilities, this data confirms a trend observed by the researchers in previous reports.

Another aspect highlighted by Google researchers is that as per the attackers’ arsenal N-days function like 0-days on Android due to long patching times. This means that threat actors can use n-days that functioned as 0-days for a long period of time.

Giving a close look at zero-day flaws disclosed by Google TAG, we can observe a 42% drop in the number of in-the-wild detected 0-days targeting browsers from 2021 to 2022 (from 26 to 15). The main reasons for this drop are browsers’ efforts to prevent exploitation and a shift in attacker behavior away from browsers towards 0-click exploits that target other components on the device. 

“Unlike many commodities in the world, a 0-day itself is not finite. Just because one person has discovered the existence of a 0-day vulnerability and developed it into an exploit doesn’t prevent other people from independently finding it too and using it in their exploit.” continues the report. “Most attackers who are doing their own vulnerability research and exploit development do not want anyone else to do the same as it lowers its value and makes it more likely to be detected and fixed quickly.”

Stone recommends vendors provide patches and mitigations to end-users as fast as possible and suggests sharing more details about the root causes of the flaws.

Follow me on Twitter: @securityaffairs Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)

The post In 2022, more than 40% of zero-day exploits used in the wild were variations of previous issues appeared first on Security Affairs.