By Kim Crawley
The latest research from zero-day hunters at Google shows that reporting and detection tools are improving.
Google researchers uncovered more than double the number in-the-wild zero-days last year than any other period since it started tracking these dangerous software vulnerabilities in 2014.
“Is it that software security is getting worse? Or is it that attackers are using 0-day exploits more? Or has our ability to detect and disclose 0-days increased? When looking at the significant uptick from 2020 to 2021, we think it’s mostly explained by the latter,” according to Maddie Stone, a security researcher at Google Project Zero, the company’s team that tracks zero-days.
In a recent blog post detailing the 2021 findings, the group detailed the 58 zero-days that it detected as well as trends, attack patterns and techniques they were able to identify last year, too. Even though the group uncovered more than double the number of the previous high in 2015 (28 found), attacker techniques haven’t significantly evolved.
“With this record number of in-the-wild 0-days to analyze, we saw that attacker methodology hasn’t actually had to change much from previous years. Attackers are having success using the same bug patterns and exploitation techniques and going after the same attack surfaces,” wrote Stone.
It’s tough enough for organizations to manage and mitigate known vulnerabilities, but zero-day exploits pose a unique challenge to all organizations. They are often the attackers’ most powerful tool and when executed against businesses, organizations and individuals can have devastating consequences. As Google noted, there were many reports of zero-day exploits used against journalists, human rights groups and government officials last year.
Key findings from Google’s Project Zero report:
- The exploits detected in 2021 are very similar to the exploits Google Project Zero detected in previous years. There are new CVE records, but the nature of the vulnerabilities and how they’re exploited are all fairly typical relative to previous trends.
- Sixty-seven percent (or 39) of the zero-days found in 2021 were memory corruption vulnerabilities. How memory is being used is the main vector for zero-day exploits. They include four buffer overflows, four integer overflows, six out-of-bounds read and writes, and 17 use-after-frees. Maybe the Project is getting better at monitoring memory, or maybe volatile data is more ripe for zero-day exploitation than data in storage.
- Nearly all of the 58 zero-days detected in 2021 follow familiar patterns. But there’s one outlier, CVE-2021-30860, which is an integer overflow vulnerability in the CoreGraphics PDF decoder in iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6 and watchOS 7.6.2. Security researchers Samuel Groß and Ian Beer noted how unusual the exploit is: “The bootstrapping operations for the sandbox escape exploit are written to run on this logic circuit and the whole thing runs in this weird, emulated environment created out of a single decompression pass through a JBIG2 stream. It’s pretty incredible, and at the same time, pretty terrifying.” Indeed, Google Project Zero said it hopes this is a trend of attackers having to work harder to successfully execute a zero-day exploit.
- Some of the exploits involve classic cyberattack techniques, such as phishing and fingerprinting. CVE-2021-21166 and CVE-2021-30551 are great examples. Google Project Zero’s Maddie Stone and Clement Lecigne wrote: “Both of these 0-days were delivered as one-time links sent by email to the targets, all of whom we believe were in Armenia. The links led to attacker-controlled domains that mimicked legitimate websites related to the targeted users. When a target clicked the link, they were redirected to a webpage that would fingerprint their device, collect system information about the client and generate ECDH keys to encrypt the exploits, and then send this data back to the exploit server. The information collected from the fingerprinting phase included screen resolution, timezone, languages, browser plugins and available MIME types.”
Essentially, Google wants to make it harder for attackers to carry out zero-days. And there’s some evidence in its research that might be happening. While there’s progress in terms of discovering and disclosing zero-days, Project Zero does say there is still a lot of room for improvement. Specifically, they call on companies to disclose more, share more exploit samples and details of attacker techniques and to work harder to reduce memory corruption vulnerabilities.
It’s also important that once organizations know about a zero-day, they act quickly to find and fix that vulnerability. That requires vigilance and the right approach to testing with an offensive mindset to ensure an organization’s entire attack surface is hardened against the most sophisticated attackers.