Editing article

Title

Summary

<div class="block-paragraph_advanced">Written by: Maddie Stone, Jared Semrau, James Sadowski
<hr/>
 </div>
<div class="block-paragraph_advanced">Combined data from Google’s <a href="https://blog.google/threat-analysis-group/" rel="noopener" target="_blank">Threat Analysis Group (TAG)</a> and Mandiant shows 97 zero-day vulnerabilities were exploited in 2023; a big increase over the 62 zero-day vulnerabilities identified in 2022, but still less than 2021's peak of 106 zero-days.
This finding comes from the <a href="https://storage.googleapis.com/gweb-uniblog-publish-prod/documents/Year_in_Review_of_ZeroDays.pdf" rel="noopener" target="_blank">first-ever joint zero-day report by TAG and Mandiant</a>. The report highlights 2023 zero-day trends, with focus on two main categories of vulnerabilities. The first is end user platforms and products such as mobile devices, operating systems, browsers, and other applications. The second is enterprise-focused technologies such as security software and appliances.
Key zero-day findings from the report include:
<ul>
<li aria-level="1" style="list-style-type: disc; vertical-align: baseline;">
Vendors' security investments are working, making certain attacks harder.
</li>
<li aria-level="1" style="list-style-type: disc; vertical-align: baseline;">
Attacks increasingly target third-party components, affecting multiple products.
</li>
<li aria-level="1" style="list-style-type: disc; vertical-align: baseline;">
Enterprise targeting is rising, with more focus on security software and appliances.
</li>
<li aria-level="1" style="list-style-type: disc; vertical-align: baseline;">
Commercial surveillance vendors lead browser and mobile device exploits.
</li>
<li aria-level="1" style="list-style-type: disc; vertical-align: baseline;">
People’s Republic of China (PRC) remains the top state-backed exploiter of zero-days.
</li>
<li aria-level="1" style="list-style-type: disc; vertical-align: baseline;">
Financially-motivated attacks proportionally decreased.
</li>
</ul>
Threat actors are increasingly leveraging zero-days, often for the purposes of evasion and persistence, and we don’t expect this activity to decrease anytime soon. Progress is being made on all fronts, but zero-day vulnerabilities remain a major threat. 
<h2>A Look Back — 2023 Zero-Day Activity at a Glance</h2>
<h3>Barracuda ESG: CVE-2023-2868</h3>
Barracuda disclosed in May 2023 that a zero-day vulnerability (CVE-2023-2868) in their Email Security Gateway (ESG) had been actively exploited since as early as October 2022. Mandiant investigated and determined that UNC4841, a suspected Chinese cyber espionage actor, was conducting attacks across multiple regions and sectors as part of an espionage campaign in support of the PRC.
Mandiant released a blog post with <a href="https://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally">findings from the initial investigation</a>, a follow-up post with <a href="https://cloud.google.com/blog/topics/threat-intelligence/unc4841-post-barracuda-zero-day-remediation">more details as the investigation continued</a>, and a <a href="https://services.google.com/fh/files/misc/barracuda-esg-rpt-en.pdf" rel="noopener" target="_blank">hardening guide</a>. Barracuda also released a <a href="https://www.barracuda.com/company/legal/esg-vulnerability" rel="noopener" target="_blank">detailed advisory with recommendations</a>.
<h3>VMware ESXi: CVE-2023-20867</h3>
Mandiant discovered that UNC3886, a Chinese cyber espionage group, had been exploiting a VMware zero-day vulnerability (CVE-2023-20867) in a continued effort to evade security solutions and remain undiscovered. The investigation shined a big light on UNC3886's deep understanding and technical knowledge of ESXi, vCenter and VMware’s virtualization platform.
Mandiant released a blog post detailing <a href="https://cloud.google.com/blog/topics/threat-intelligence/vmware-esxi-zero-day-bypass">UNC3886 activity involving exploitation of this zero-day vulnerability</a>, and also <a href="https://cloud.google.com/blog/topics/threat-intelligence/vmware-detection-containment-hardening">detection, containment and hardening opportunities</a> to better defend against the threat. VMware also released an <a href="https://www.vmware.com/security/advisories/VMSA-2023-0013.html" rel="noopener" target="_blank">advisory with recommendations</a>.
<h3>MOVEit Transfer: CVE-2023-34362</h3>
Mandiant observed a critical zero-day vulnerability in Progress Software's MOVEit Transfer file transfer software (CVE-2023-34362) being actively exploited for data theft since as early as May 27, 2023. Mandiant initially attributed the activity to UNC4857, which was later merged into FIN11 based on targeting, infrastructure, certificate and data leak site overlaps.
Mandiant released a blog post with <a href="https://cloud.google.com/blog/topics/threat-intelligence/zero-day-moveit-data-theft">details on the activity</a>, as well as a <a href="https://services.google.com/fh/files/misc/moveit-containment-hardening-guide-rpt-en.pdf" rel="noopener" target="_blank">containment and hardening guide</a> to help protect against the threat. Progress released an <a href="https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023" rel="noopener" target="_blank">advisory with details and recommendations</a>.
<h2>Takeaways</h2>
Zero-day exploitation has the potential to be high impact and widespread, as evidenced by the three examples shared in this post.
Vendors must continue investing in security to reduce risk for their users and customers, and organizations across all industry verticals must remain vigilant. Zero-day attacks that get through defenses can result in significant financial losses, reputational damage, data theft, and more. 
While zero-day threats are difficult to defend against, a defense in depth approach to security can help reduce potential impact. Organizations should focus on sound security principles such as vulnerability management, network segmentation, least privilege, and attack surface reduction. Additionally, defenders should conduct proactive threat hunting, and follow guidance and recommendations provided by security organizations.
Read the report now to <a href="https://storage.googleapis.com/gweb-uniblog-publish-prod/documents/Year_in_Review_of_ZeroDays.pdf" rel="noopener" target="_blank">learn more about the zero-day landscape in 2023</a>.</div>

Content

Author

Link

Published date

Image url

Feed url

Guid

Hidden blurb

--- !ruby/object:Feedjira::Parser::RSSEntry
published: 2024-03-26 22:00:00.000000000 Z
entry_id: !ruby/object:Feedjira::Parser::GloballyUniqueIdentifier
 guid: https://cloud.google.com/blog/topics/threat-intelligence/2023-zero-day-trends/
title: Trends on Zero-Days Exploited In-the-Wild in 2023
categories:
- Threat Intelligence
carlessian_info:
 news_filer_version: 2
 newspaper: Google Cloud Blog
 macro_region: Technology
summary: |-
 <div class="block-paragraph_advanced">Written by: Maddie Stone, Jared Semrau, James Sadowski
 <hr/>
  </div>
 <div class="block-paragraph_advanced">Combined data from Google’s <a href="https://blog.google/threat-analysis-group/" rel="noopener" target="_blank">Threat Analysis Group (TAG)</a> and Mandiant shows 97 zero-day vulnerabilities were exploited in 2023; a big increase over the 62 zero-day vulnerabilities identified in 2022, but still less than 2021's peak of 106 zero-days.
 This finding comes from the <a href="https://storage.googleapis.com/gweb-uniblog-publish-prod/documents/Year_in_Review_of_ZeroDays.pdf" rel="noopener" target="_blank">first-ever joint zero-day report by TAG and Mandiant</a>. The report highlights 2023 zero-day trends, with focus on two main categories of vulnerabilities. The first is end user platforms and products such as mobile devices, operating systems, browsers, and other applications. The second is enterprise-focused technologies such as security software and appliances.
 Key zero-day findings from the report include:
 <ul>
 <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;">
 Vendors' security investments are working, making certain attacks harder.
 </li>
 <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;">
 Attacks increasingly target third-party components, affecting multiple products.
 </li>
 <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;">
 Enterprise targeting is rising, with more focus on security software and appliances.
 </li>
 <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;">
 Commercial surveillance vendors lead browser and mobile device exploits.
 </li>
 <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;">
 People’s Republic of China (PRC) remains the top state-backed exploiter of zero-days.
 </li>
 <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;">
 Financially-motivated attacks proportionally decreased.
 </li>
 </ul>
 Threat actors are increasingly leveraging zero-days, often for the purposes of evasion and persistence, and we don’t expect this activity to decrease anytime soon. Progress is being made on all fronts, but zero-day vulnerabilities remain a major threat. 
 <h2>A Look Back — 2023 Zero-Day Activity at a Glance</h2>
 <h3>Barracuda ESG: CVE-2023-2868</h3>
 Barracuda disclosed in May 2023 that a zero-day vulnerability (CVE-2023-2868) in their Email Security Gateway (ESG) had been actively exploited since as early as October 2022. Mandiant investigated and determined that UNC4841, a suspected Chinese cyber espionage actor, was conducting attacks across multiple regions and sectors as part of an espionage campaign in support of the PRC.
 Mandiant released a blog post with <a href="https://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally">findings from the initial investigation</a>, a follow-up post with <a href="https://cloud.google.com/blog/topics/threat-intelligence/unc4841-post-barracuda-zero-day-remediation">more details as the investigation continued</a>, and a <a href="https://services.google.com/fh/files/misc/barracuda-esg-rpt-en.pdf" rel="noopener" target="_blank">hardening guide</a>. Barracuda also released a <a href="https://www.barracuda.com/company/legal/esg-vulnerability" rel="noopener" target="_blank">detailed advisory with recommendations</a>.
 <h3>VMware ESXi: CVE-2023-20867</h3>
 Mandiant discovered that UNC3886, a Chinese cyber espionage group, had been exploiting a VMware zero-day vulnerability (CVE-2023-20867) in a continued effort to evade security solutions and remain undiscovered. The investigation shined a big light on UNC3886's deep understanding and technical knowledge of ESXi, vCenter and VMware’s virtualization platform.
 Mandiant released a blog post detailing <a href="https://cloud.google.com/blog/topics/threat-intelligence/vmware-esxi-zero-day-bypass">UNC3886 activity involving exploitation of this zero-day vulnerability</a>, and also <a href="https://cloud.google.com/blog/topics/threat-intelligence/vmware-detection-containment-hardening">detection, containment and hardening opportunities</a> to better defend against the threat. VMware also released an <a href="https://www.vmware.com/security/advisories/VMSA-2023-0013.html" rel="noopener" target="_blank">advisory with recommendations</a>.
 <h3>MOVEit Transfer: CVE-2023-34362</h3>
 Mandiant observed a critical zero-day vulnerability in Progress Software's MOVEit Transfer file transfer software (CVE-2023-34362) being actively exploited for data theft since as early as May 27, 2023. Mandiant initially attributed the activity to UNC4857, which was later merged into FIN11 based on targeting, infrastructure, certificate and data leak site overlaps.
 Mandiant released a blog post with <a href="https://cloud.google.com/blog/topics/threat-intelligence/zero-day-moveit-data-theft">details on the activity</a>, as well as a <a href="https://services.google.com/fh/files/misc/moveit-containment-hardening-guide-rpt-en.pdf" rel="noopener" target="_blank">containment and hardening guide</a> to help protect against the threat. Progress released an <a href="https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023" rel="noopener" target="_blank">advisory with details and recommendations</a>.
 <h2>Takeaways</h2>
 Zero-day exploitation has the potential to be high impact and widespread, as evidenced by the three examples shared in this post.
 Vendors must continue investing in security to reduce risk for their users and customers, and organizations across all industry verticals must remain vigilant. Zero-day attacks that get through defenses can result in significant financial losses, reputational damage, data theft, and more. 
 While zero-day threats are difficult to defend against, a defense in depth approach to security can help reduce potential impact. Organizations should focus on sound security principles such as vulnerability management, network segmentation, least privilege, and attack surface reduction. Additionally, defenders should conduct proactive threat hunting, and follow guidance and recommendations provided by security organizations.
 Read the report now to <a href="https://storage.googleapis.com/gweb-uniblog-publish-prod/documents/Year_in_Review_of_ZeroDays.pdf" rel="noopener" target="_blank">learn more about the zero-day landscape in 2023</a>.</div>
rss_fields:
- title
- url
- summary
- author
- categories
- published
- entry_id
url: https://cloud.google.com/blog/topics/threat-intelligence/2023-zero-day-trends/
author: 'Mandiant '

Language

Active

Ricc internal notes

Ricc source

Show this article Back to articles