This report shares key findings from the Mandiant zero-day exploitation investigation of 2022. A zero-day vulnerability, according to Mandiant, is one that was used in the real world before a fix was made available. Focusing on zero-day exploits used by named groups, this paper explores zero-day exploitation discovered in Mandiant’s original research, breach investigation findings, and reporting from open sources.
Although the available sources cited in this analysis are trustworthy, we cannot corroborate some of their findings independently. Technical information about the vulnerabilities is not given; instead, we go over key conclusions from threat actor activity, vulnerability trends, and suppliers and products that were specifically targeted. We anticipate that this research will stay dynamic and be supplemented in the future due to the continual uncovering of past instances through digital forensic investigations.
In 2022, we estimate that 55 zero-day vulnerabilities that Mandiant tracked were exploited. This number was nevertheless much greater than in 2020 and years earlier, while The 81 zero-day exploits in 2021 set a record; however, there were 26 fewer in 2022. The 55 zero-day vulnerabilities discovered this year show a continuance of our earlier prediction that zero-day vulnerabilities will continue to be exploited at a markedly faster pace than in the 2010s.
The zero-day count in 2020 may have been affected by a variety of variables because it decreased, then quadrupled in 2021. Disruptions caused by the pandemic in 2020 may have hindered vendor reporting and disclosure protocols made it harder for defenders to spot exploitation activities, and possibly even encouraged attackers to reserve unique exploits for the most critical situations. Also, in 2021, Apple and Android disclosed more details about exploitation.
With some variation from year to year, we expect the longer-term trendline for zero-day exploitation to climb. Attackers look for stealth and simplicity of use, both of which zero-days can offer. As targeted software, such as Internet of Things (IoT) devices and cloud solutions, continues to develop, so too has the overall number of vulnerabilities reported and exploited, as well as the range of actors that use them has grown. Unfortunately, finding zero-day vulnerabilities requires a lot of resources, and successful exploitation is not always possible.
State-Sponsored Organizations Keep Promoting Exploitation
Like in prior years, Chinese state-sponsored groups continue to dominate the exploitation of zero-day vulnerabilities, exploiting seven of them, or more than 50% of all zero-day vulnerabilities that we could definitively link to known cyber espionage actors or intentions. In 2022, we monitored 13 zero-days that we can say with moderate to high confidence were used by cyber espionage organizations. Notably, we discovered two zero-day vulnerabilities that alleged North Korean agents exploited slightly more than in previous years.
Among the total 16 zero-day vulnerabilities for which we could identify a motivation for exploitation, we were able to attribute the exploitation of four zero-day vulnerabilities to financially motivated threat actors. According to statistics from 2021 and 2019, ransomware groups exploited the biggest number of zero-day vulnerabilities compared to other financially motivated actors, and 75% of these incidents seem connected to ransomware activities. In contrast to recent years, the aggregate count and percentage of all monetarily motivated zero-day exploitation decreased in 2022.
Exploitation With A Financial Motive Will Be Less Common
Despite a decline in the percentage of zero-day vulnerabilities exploited in financially motivated operations in 2022, n-day vulnerability exploitation—the use of vulnerabilities that have already been patched—remains one of the most frequently noticed investigations of ransomware and/or extortion situations using Mandiant Incident Response and Managed Defense’s initial infection vectors. We predicted that four zero-day vulnerabilities, largely related to ransomware activities, would be used in financially motivated actions in 2022.
In one incident, an attacker who ultimately used the Lorenz ransomware apparently made special efforts to avoid being discovered while taking advantage of unique remote code execution (RCE) vulnerability in Mitel’s MiVoice Connect VOIP equipment (CVE-2022-29499).
Open sources claimed that in September 2022, the Magniber ransomware organization used CVE-2022-41091, a zero-day vulnerability in the Mark of the Web (MoTW) component of Microsoft Windows 11, to their advantage. Separately, open sources claimed that the Magniber gang also utilized CVE-2022-44698, an alternative MoTW vulnerability, in October 2022, prior to the issue’s December 2022 Microsoft patch.
In early June 2022, before the patch’s release, we saw UNC2633, a distribution threat cluster that sends emails with malicious attachments or URLs that open malware payloads, exploit CVE-2022-30190 (also known as Follina) at least three times. In at least two of those incidents, UNC2633 dispersed QAKBOT on the victims’ networks using the zero-day vulnerability.
A variety of circumstances could have caused this reduction. Overall, 2021 was a standout year for zero-day exploitation, and at least one big extortion scheme combined four Accellion FTA vulnerabilities. Russia’s attack on Ukraine in February 2022 may have disturbed this criminal ecosystem and reduced zero-day vulnerabilities’ usage. Some of the more prolific ransomware groups that used zero days in prior years had operators headquartered in Russia or Ukraine. The capacity of operators to get or create zero days may have been diminished as a result of the overall reduction in ransomware payments in 2022.
Consequences For Defenders
In order to prioritize patching to their systems, organizations must meet individual circumstances in order to appropriately mitigate risk as the vendors and products targeted by zero-days continue to diversify. We advise organizations to examine the following in addition to risk ratings: the types of actors who target their particular industry or geographic region, common malware, the tactics, techniques, and procedures used frequently by malicious actors, as well as the products they use that have the biggest attack surfaces. These factors can help determine how to allocate resources to reduce risk.
It is essential to configure these products properly, which includes adhering to best practices such as network segmentation and least privilege, as Microsoft, Google, and Apple continue to be the most exploited companies and are widely used. Security teams must still consider the dangers from sources other than the top three suppliers and be watchful across their full attack surface despite the prevalence of exploitation of those vendors. Organizations must continue to devote enough resources to safeguarding these technologies because, between 2021 and 2022, about 25–30% of zero-day vulnerabilities affected suppliers besides the top three.
The main conclusions from Mandiant’s examination of 2022 zero-day exploits are presented in this study. A zero-day vulnerability, according to Mandiant, is one that was used in the real world before a fix was made available. With a focus on zero-day vulnerabilities used by identifiable groups, this article discusses zero-day exploitation discovered in Mandiant’s original research, breach investigation findings, and reporting from public sources.
Although we can trust the free sources we used for this investigation, some of its conclusions cannot be independently verified. We don’t dig into technical details about the vulnerabilities; instead, we talk about the most crucial observations from threat actor activity, vulnerability trends, and specifically targeted suppliers and products. We forecast that this research will remain pertinent and grow as additional historical events are revealed through ongoing digital forensic investigations.
These findings aren’t very surprising given that unpatched zero-days provide a guaranteed way for attackers to infiltrate organisations.
What is surprising is how much zero-day exploitation has gone down since 2021.
Businesses should use this data to reinforce the importance of patching, even if they can cause business disruptions.
As soon as zero-days are disclosed, the clock starts ticking on attackers who are looking for ways to exploit them, so as soon as fixes are released, these must be prioritised and applied to systems. Any gaps in this cycle just exposes the business, and attackers will find them. Criminals today use automatic scanners to find organisations still vulnerable to specific CVEs, so there is no hiding.
When it comes to patches, most large vendors release them on a specific date every month, so these should be applied as close to release as possible.
These figures from Mandiant highlight how attackers are continuing to exploit zero-days to gain a foothold on organisations and then execute attacks.
According to the data, many of the zero-days relied on elevating privileges, and the best way to limit the impact of these types of attacks is through software and device segmentation, where software only has access to the data and network connections that it absolutely needs, so attackers can’t use an exploit to then pivot across the network.
The report also reinforces the importance of regular patch and vulnerability management. As soon as vulnerabilities are disclosed, attackers jump on the flaws looking for ways to exploit them. Organisations must keep this window of attacker opportunity down to absolute minimum by carrying out regular patching, applying mitigations for announced vulnerabilities that do not yet have a patch, and applying patches for zero-days as soon as they are available, even if it is outside regular patch schedules.