2021 was a record-breaking year in zero-day exploits – that’s both good and bad news

It has been a record-breaking year for zero-day exploits globally.
20 October 2021

Checking the website of Israel-made Pegasus spyware at an office in the Cypriot capital Nicosia. (Photo by Mario GOLDMAN / AFP)

Zero-day exploits – when security defenders have no patch or experience, AKA ‘zero days’, to protect against an emergent cyber threat – have taken on a life of their own over the past year, set against the backdrop of surging online vulnerabilities during the pandemic era.

Once considered merely as valuable cyberweapons in the arsenal of elite government hackers targeting other states’ critical infrastructure, publicly disclosed zero-day exploits have been on a sharp rise, including hitting high profile targets such as the Microsoft Exchange server attack. Project Zero, a Google team devoted to identifying and cataloging zero-days, had tallied 45 incidents this year back in September – and the hacker community had likely discovered long before Google did.

The number of zero-day exploits uncovered so far has already broken the record number in 2020, which saw 25 zero-days recorded. Notably, the number has been increasing every year since 2018. And now, the MIT Technology Review is reporting that multiple data researchers and cybersecurity specialists like the Zero-day tracking project are confirming that at least 66 zero-days are in active use in 2021.

That’s nearly double the amount reported from last year, and shatters the recorded number from any other year since zero-day exploits began being monitored.

An all-time high number of zero-day incidents is, on the surface, as terrifying as discovering a mounting number of any other online vulnerability, like ransomware attacks or social engineering attempts. It is even more daunting that the very nature of zero-days is that known security fixes do not exist for them yet – placing business continuity in a very precarious position.

Should the business forge ahead when the zero-day ‘surprise attack’ is a constant looming threat? “For the past few years, we have observed the set trend on the attackers’ consistent interest in finding and exploiting new zero-days,” commented Boris Larin, a security expert at Kaspersky’s Global Research and Analysis Team (GReAT).

“Previously unknown to vendors vulnerabilities, they can pose a serious threat to organizations. However, most of them share similar behaviors,” Larin continued. “That’s why it is important to rely on the latest threat intelligence and install security solutions that proactively find unknown threats.”

And therein lies the rub, from a cybersecurity expert’s point of view – record numbers of zero-day exploits grabs the attention of IT and security teams, but is all the data being interpreted correctly? More to the point is that the threat incident findings can be colored by a number of contributing factors, including time since the incident was first observed, and how similar is the threat level compared to other known vulnerabilities.

One takeaway is the historical origins of zero-days as state-sponsored tools to weaken the infrastructure of other governments. China, Russia, Iran, and the US are all suspected or outright known to have sophisticated zero-day capabilities, and few private groups would have access to such aggressive tools – so they are more likely to purchase them from state groups, making zero-day exploits more accessible than previous.

This leads to a sharp rise in cybercriminals exploiting zero-days for monetary gain as opposed to political purposes, with many running lucrative ransomware schemes. Some observers estimate that at least one-third of recent traced zero-day hacks were by financially motivated actors, who have a vested financial interest in seeing the attack through to the end.

When zero-day exploits can be …. good news?

Now here comes the kicker. More than a few industry watchers believe that despite the all-time high figures, record-setting amounts of new incidents do not immediately signal an unfolding crisis. It’s all about how one deciphers the data.

For instance, no security specialist worth their salt actually believes that zero-day incidents literally doubled from last year. It is far more likely that the number reflects how many cases were caught by cybersecurity defenders – indicating that security measures have possibly improved overall, leading to better detection of zero-day exploits.

Essentially, security teams have gotten better at spotting zero-days, leading to the higher quantities of confirmed incidences. That says a lot for threat detection teams and tools, but just like how dropping costs for purchasing zero-days have made them more accessible to malicious actors, IT teams also have bigger budgets for digitally transforming their cyber defence line in 2021.

And there are better, data-driven tools available for those bigger budgets. Alongside sponsoring bug bounties and hackathons to try and brute-force test systems, security teams have also gotten more experienced at identifying more complex attacks – shifting their focus from simple intrusions to recognizing the symptoms of a more intricate attack that could be costly for the company to recover from.

All of these changing behaviors are driven, more often than not, by data and analysis of that data. Insights on past patterns mean that unlike before, when a select few IT pros at a given organization might have fuller understanding of what their antivirus covers and which endpoints their firewall is shielding, today a large enterprise can potentially scan and detect the smallest discrepancies in unusual network activities (using comparison studies with historical data to spot patterns), and plausibly trace that anomaly across thousands of devices to pinpoint the entry point of a zero-day.

But as usual, it is a highly reactive dynamic between exploiters and the exploited. As cyber defenses grow more sophisticated and well-funded, hackers have to work harder, spend more, and utilize more resources to overcome them.

One advantage for them is that with the flurry of organizations migrating their data and operations to the cloud, a zero-day attack here might expose millions to threats, as opposed to just one company. And improved defense postures have forced bad actors to link together multiple zero-day exploits to create a more complex threat – but discovering these “exploit chains” is also part of the reason why zero-day detection statistics have shot up so much this year.

In essence, both sides have had to bulk up their investment, to combat the other. But just because the cybercriminals have to spend more and risk more than before, it doesn’t mean that defending against zero-days is now a given. If anything, security teams have to be constantly upskilling their knowledge and working on reducing attack surface areas, as new exploits are always being developed.