Home

Published

- 8 min read

Zero-Days Exploited in 2024: Google GTIG Report

By William OGOU
Zero-Day Exploitation 2024 Google GTIG report enterprise security products browser zero-days mobile zero-days
img of Zero-Days Exploited in 2024: Google GTIG Report

Zero-day vulnerabilities—security flaws exploited before a fix is available—remain a major cybersecurity threat. Google’s Threat Intelligence Group (GTIG) has released its 2024 analysis, revealing a troubling shift: attackers are now targeting the very security tools and network infrastructure organizations depend on.

This year’s findings highlight a growing trend of using unknown flaws to turn defenses into attack vectors. Explore the 2024 Zero-Day report to understand the evolving threat landscape and the rising role of advanced threat actors and exploit vendors.

The Numbers Game: 75 Zero-Days Exploited, But the Story is Deeper

GTIG tracked a total of 75 zero-day vulnerabilities exploited in the wild throughout 2024. While this number is a decrease from the peak of 98 observed in 2023, it still represents a substantial increase from the 63 zero-days seen in 2022. This fluctuation in raw numbers is less important than the underlying trend Google highlights: zero-day exploitation continues its gradual upward trajectory over the past four years, cementing its appeal as a highly sought-after capability for attackers seeking stealth and guaranteed access.

The Shifting Focus: Enterprise Technologies Now Prime Targets

The most critical takeaway from the 2024 data is where attackers are finding and exploiting zero-days. The report reveals a significant pivot:

  • 44% Targeted Enterprise Products: A remarkable 44% (33 out of 75) of the zero-days exploited in 2024 specifically targeted enterprise-focused technologies, including security software, networking products, and appliances. This is a sharp increase from the 37% targeting enterprise in 2023 and a continued rise in prominence for this category.
  • Security and Networking in the Crosshairs: Within the enterprise category, 20 of the 33 zero-days specifically impacted security and networking products. This represents a substantial 60% of enterprise zero-days focusing on these critical infrastructure components.

Why the focus on security and networking products? GTIG researchers note that these tools and devices are highly valuable targets. They are designed to connect widespread systems, often possess high permissions, and are intended to manage other products and services.

Successfully exploiting a zero-day in a security or networking appliance can provide attackers with expansive access and control over the enterprise network, offering an efficient pathway for deep penetration and data exfiltration, often with fewer opportunities for detection compared to targeting end-user devices.

End-User Exploitation: A Relative Decline (But Still Present)

In contrast to the surge in enterprise targeting, the exploitation of end-user platforms and products saw a relative decline:

  • 56% Targeted End-User: 56% (42 out of 75) of the zero-days targeted end-user platforms like mobile devices, operating systems, and browsers.
  • Browser and Mobile Exploitation Decreases: Zero-day exploitation specifically targeting browsers fell by approximately a third in 2024 compared to 2023 (down from 17 to 11), while mobile device exploitation decreased by about half (down from 17 to 9). Chrome remained the primary target among browsers, likely reflecting its vast user base.
  • Windows OS Exploitation Increase: Countering the overall end-user trend, the number of zero-days affecting desktop operating systems (OSs), particularly Microsoft Windows, increased in 2024 (22 zero-days vs. 17 in 2023). Given Windows’ widespread use, it remains a popular target for both zero-day and N-day (post-patch) exploitation.

While the raw numbers for browser and mobile zero-days decreased, these platforms are still targeted. More importantly, exploit chains are increasingly leveraging multiple zero-days (sometimes spanning different platforms) to achieve their objectives, often with the ultimate goal of compromising mobile devices (~90% of exploit chains targeted mobile devices).

Who is Driving Exploitation? Unpacking the Attackers Behind the Zero-Days

Attributing zero-day exploitation is complex, but GTIG’s analysis links the 2024 activity to six broad threat activity clusters:

  • Cyber Espionage Actors Lead: Actors conducting cyber espionage operations accounted for over 50% of the attributed zero-days.
  • State-Sponsored Groups: Government-backed groups remain major players. The People’s Republic of China (PRC)-backed groups were the most prolific state-sponsored zero-day exploiters, responsible for 5 zero-days, exclusively targeting security and networking technologies. North Korean state actors were tied to 5 zero-days, notably mixing financially motivated operations with espionage. Russian and South Korean state actors were linked to fewer zero-days individually.
  • Commercial Surveillance Vendors (CSVs): These vendors, who develop and sell exploitation capabilities (often to governments or law enforcement), were attributed 8 zero-days. While their total count decreased from 2023, their role in the ecosystem and access to zero-day exploits remains significant, often providing these capabilities to other actors.
  • Non-State Financially Motivated Groups: Clusters like FIN11 (known for extortion) and others were attributed zero-days, often exploiting vulnerabilities in file transfer products to conduct data theft for financial gain. Some groups, like CIGAR (also tracked as UNC4895/RomCom), exhibit mixed motivations, blending financial objectives with espionage, sometimes potentially on behalf of governments.

This attribution highlights that while state-sponsored espionage remains a primary driver, the zero-day market is diversified, with exploit capabilities being developed and leveraged by a variety of sophisticated actors, including CSVs and advanced financially motivated groups.

Zero-Days in Action: Spotlight on Notable Exploit Chains

To illustrate the sophistication of modern zero-day attacks, GTIG detailed several notable exploit chains from 2024:

  • Stealing Cookies with WebKit (CVE-2024-44308, CVE-2024-44309): This chain, targeting MacOS users via a compromised website (Ukraine Diplomatic Academy), leveraged a WebKit RCE vulnerability (CVE-2024-44308) and a data isolation bypass (CVE-2024-44309) to steal user cookies for login.microsoftonline.com. This highlights how attackers chain distinct vulnerabilities and prioritize high-value targets like authentication sessions.
  • CIGAR’s Local Privilege Escalation via Firefox/Tor (CVE-2024-9680, CVE-2024-49039): The dual-motivated CIGAR group deployed a fully weaponized exploit chain targeting Firefox and Tor browsers. This chain involved a use-after-free RCE (CVE-2024-9680) and a sandbox escape/local privilege escalation (CVE-2024-49039) exploiting vulnerabilities in Windows components (WPTaskScheduler.dll RPC server ACLs), ultimately allowing them to gain NT/SYSTEM privileges and deploy malware like RomCom RAT. This demonstrates attackers combining browser exploits with OS/system vulnerabilities for full system compromise.
  • APT37 Microsoft Zero-Day (CVE-2024-38178): This North Korean group reportedly exploited a zero-day in Microsoft products via malicious advertisements served to South Korean users, triggering zero-click execution.
  • North Korean Windows AppLocker Driver Zero-Day (CVE-2024-21338): North Korean actors also exploited a zero-day vulnerability in a legitimate Windows AppLocker driver to gain kernel-level access, a technique that abuses trusted system components to bypass security tools like EDR.

These examples underscore that zero-day exploitation is often not a single vulnerability but a carefully orchestrated chain of exploits, targeting specific platforms and leveraging system interactions to achieve stealth and high privileges.

Implications and Outlook: A Race of Strategy and Prioritization

The Google GTIG report’s findings have crucial implications for vendors and defenders alike:

  • Vendors Under Pressure: The increasing focus on enterprise security and networking products puts significant pressure on vendors in this space. They must prioritize secure coding practices, rigorously audit configurations and architectural decisions, and invest heavily in detection capabilities for these high-value targets. The continued exploitation of similar vulnerability types (use-after-free, command injection, XSS) suggests attackers are finding recurring weaknesses.
  • Defenders Need to Rethink Prioritization: Organizations can no longer assume that end-user platforms are the primary source of zero-day risk. Prioritizing patching and security hardening based solely on historical trends or end-user impact is insufficient. A more strategic, risk-based approach is needed, heavily prioritizing security and networking devices and any platform identified as a target by sophisticated actors or in KEV lists.
  • Zero-Days Will Remain Appealing: The stealth, persistence, and high privileges offered by zero-day exploitation ensure it will remain a coveted capability for advanced threat actors.
  • Continuous Monitoring is Key: Given the speed at which zero-days can be exploited after disclosure, robust monitoring and threat intelligence capabilities are essential to detect unusual activity that might signal the use of a zero-day before a patch is even available. Vendors need to improve EDR capabilities for technologies currently lacking them.
  • Architecture Matters: Vendors must focus on security architecture fundamentals, including zero trust principles, least privilege, and network segmentation, to limit the blast radius of an exploited vulnerability if one is found.

Conclusion: Adapting to the Evolving Zero-Day Frontier

While the total number of zero-days fluctuated, the strategic shift by sophisticated attackers towards enterprise security and networking products is a critical development. Coupled with ongoing exploitation by state-sponsored groups and CSVs, and the use of increasingly complex exploit chains, the zero-day frontier remains highly active and dangerous.

Defenders must acknowledge this shift, prioritize the security of their critical enterprise infrastructure, accelerate patching efforts, and leverage advanced threat intelligence and monitoring. The race against zero-days is one of strategy, prioritization, and rapid adaptation – a race where staying informed by reports like GTIG’s is not just helpful, but fundamental to survival.

To further enhance your threat intelligence strategy, contact me on LinkedIn Profile or [email protected]

Frequently Asked Questions (FAQ)

  • What is a zero-day vulnerability? A zero-day vulnerability is a software or hardware flaw that is unknown to the vendor, for which no patch or fix exists. It is exploited by attackers “in the wild” before the vendor is aware or a patch can be developed.
  • How many zero-days were exploited in the wild in 2024 according to Google GTIG? Google’s Threat Intelligence Group (GTIG) tracked 75 zero-day vulnerabilities that were exploited in the wild during 2024.
  • Who is primarily driving zero-day exploitation? According to the GTIG report, zero-day exploitation is primarily driven by cyber espionage actors, particularly state-sponsored groups (like PRC and North Korea), and Commercial Surveillance Vendors (CSVs) who sell exploit capabilities.
  • What types of targets saw an increase in zero-day exploitation in 2024? The exploitation of zero-days targeting enterprise-focused technologies, especially security software and networking products, saw a significant increase in 2024, accounting for 44% of all zero-days.
  • What should organizations do to defend against zero-day exploitation? Organizations should prioritize rapid patching of known vulnerabilities, especially for edge devices and security/networking products; improve threat intelligence to detect potential exploitation early; apply zero trust principles (least privilege, segmentation); and enhance security monitoring capabilities (like EDR) for detecting anomalous activity.

Resources

Related Posts

No related posts found