Mandiant, now a part of Google Cloud, tracked 55 zero-day vulnerabilities that the company judges to have been exploited in 2022. Although this count is lower than the record-breaking 81 zero-days exploited in 2021, it still represents almost triple the number from 2020.

Chinese state-sponsored cyber espionage groups exploited more zero-days than other cyber espionage actors in 2022, which is consistent with previous years.

Mandiant identified four zero-day vulnerabilities exploited by financially motivated threat actors. 75% of these instances appear to be linked to ransomware operations.

Products from Microsoft, Google, and Apple made up the majority of zero-day vulnerabilities in 2022, consistent with previous years. The most exploited product types were operating systems (OS) (19), followed by browsers (11), security, IT, and network management products (10), and mobile OS (6).

Mandiant anticipates that the longer term trendline for zero-day exploitation will continue to rise, with some fluctuation from year to year. Attackers seek stealth and ease of exploitation, both of which zero-days can provide. While the discovery of zero-day vulnerabilities is a resource-intensive endeavour and successful exploitation is not guaranteed, the total number of vulnerabilities disclosed and exploited has continued to grow, the types of targeted software, including Internet of Things (IoT) devices and cloud solutions, continue to evolve, and the variety of actors exploiting them has expanded.

Mandiant tracked 13 zero-days in 2022 that were assessed with moderate to high confidence to have been exploited by cyber espionage groups. Consistent with previous years, Chinese state-sponsored groups continue to lead exploitation of zero-day vulnerabilities with seven zero-days exploited or over 50% of all zero-days Mandiant could confidently link to known cyber espionage actors or motivations. Notably, at a slightly elevated rate compared to previous years, the organisation identified two zero-day vulnerabilities that were exploited by suspected North Korean actors.

Commercial vendors again made headlines in 2022 during which tool suites or exploitation frameworks utilised by their customers accounted for three zero-days, or approximately one quarter of all vulnerabilities attributed to state-sponsored espionage activity. Despite recent struggles of some high-profile vendors, Mandiant assesses with moderate confidence that there continues to be a very active and vibrant market for third-party malware, particularly surveillance tools, across the globe.

Though the proportion of zero-days exploited in financially motivated operations declined in 2022, n-day vulnerability exploitation – the exploitation of vulnerabilities that have already received patches – remains one of the most frequently observed initial infection vectors in Mandiant Incident Response and Managed Defense investigations of ransomware and/or extortion incidents. In 2022, Mandiant identified four zero-day vulnerabilities as likely exploited in financially motivated operations, mostly linked to ransomware activity.

See more on the report at this link: https://www.mandiant.com/resources/blog/zero-days-exploited-2022