In 2024, Google’s Threat Intelligence Group (GTIG) identified 75 zero-day vulnerabilities actively exploited in the wild, marking a decrease from the 98 recorded in 2023. Notably, 44% of these vulnerabilities targeted enterprise products, with 20 flaws specifically affecting security software and appliances.
The exploitation of zero-day vulnerabilities in browsers and mobile devices saw a significant decline, decreasing by approximately one-third for browsers and by about half for mobile devices compared to the previous year. Despite this reduction, exploit chains comprising multiple zero-day vulnerabilities continued to predominantly target mobile devices, accounting for nearly 90% of such attacks.
Microsoft Windows was the most affected platform, with 22 zero-day flaws exploited in 2024. Apple’s Safari had three, iOS had two, Android had seven, Chrome had seven, and Mozilla Firefox had one exploited vulnerability during the same period. Of the seven zero-days exploited in Android, three were found in third-party components.
Enterprise software and appliances were significantly impacted, with 33 zero-day vulnerabilities exploited. Of these, 20 targeted security and network products from vendors such as Ivanti, Palo Alto Networks, and Cisco. Security and network tools are particularly attractive targets for threat actors due to their critical role in connecting systems and devices with high-level permissions, providing efficient access into enterprise networks.
In total, 18 unique enterprise vendors were targeted in 2024, compared to 12 in 2021, 17 in 2022, and 22 in 2023. The vendors with the most targeted zero-days were Microsoft (26), Google (11), Ivanti (7), and Apple (5).
The exploitation of 34 out of the 75 zero-day vulnerabilities has been attributed to six broad threat activity clusters:
– State-sponsored espionage (10): Predominantly led by China (5), with additional activities from Russia (1) and South Korea (1). Examples include CVE-2023-46805 and CVE-2024-21887.
– Commercial surveillance vendors (8): Examples include CVE-2024-53104, CVE-2024-32896, and CVE-2024-29745/CVE-2024-29748.
– Non-state financially motivated groups (5): An example is CVE-2024-55956.
– State-sponsored espionage and financially motivated groups (5): All from North Korea, with examples including CVE-2024-21338 and CVE-2024-38178.
– Non-state financially motivated groups also conducting espionage (2): All from Russia, with examples such as CVE-2024-9680 and CVE-2024-49039.
In November 2024, Google discovered a malicious JavaScript injection on the website of the Diplomatic Academy of Ukraine, which exploited CVE-2024-44308, leading to arbitrary code execution. This was combined with CVE-2024-44309, a cookie management vulnerability in WebKit, to perform a cross-site scripting (XSS) attack and collect users’ cookies, enabling unauthorized access to login.microsoftonline[.]com.
Additionally, Google independently identified an exploit chain targeting Firefox and Tor browsers, leveraging CVE-2024-9680 and CVE-2024-49039 to escape the Firefox sandbox and execute malicious code with elevated privileges. This facilitated the deployment of the RomCom Remote Access Trojan (RAT). This activity has been attributed to the threat actor known as RomCom (also referred to as Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, and Void Rabisu), which Google tracks under the name CIGAR.
The findings underscore the persistent and evolving threat posed by zero-day vulnerabilities, particularly against enterprise security products. Organizations are urged to prioritize timely patching, implement robust security measures, and stay informed about emerging threats to mitigate the risks associated with these vulnerabilities.
