Full Report
Google's Threat Intelligence Group (GTIG) says attackers exploited 75 zero-day vulnerabilities in the wild last year, over 50% of which were linked to spyware attacks. [...]
Analysis Summary
This article summarizes trends in zero-day vulnerability exploitation observed by Google's Threat Intelligence Group (GTIG) in 2024, rather than focusing on a single, specific CVE. Therefore, the CVE details below will be presented as a summary of the identified trends, and specific product remediation details will focus on the listed affected vendors.
# Vulnerability: Summary of 97 Exploited Zero-Days in 2024 Trends
## CVE Details
- CVE ID: N/A (Aggregation of 97 observed, exploited zero-days in 2024)
- CVSS Score: N/A (Varies per vulnerability)
- CWE: N/A (Varies per vulnerability)
## Affected Systems
- Products: Browsers (Google Chrome primary target), Desktop Operating Systems (Windows mentioned specifically), Security and networking software/appliances (Ivanti Cloud Services Appliance, Cisco Adaptive Security Appliance, Palo Alto Networks PAN-OS, Ivanti Connect Secure VPN).
- Versions: Not specified; refers to the specific versions vulnerable to the exploited flaws when they were zero-days.
- Configurations: Exploits against enterprise products targeted security appliances and networking devices for broad system access.
## Vulnerability Description
Google observed 97 zero-day vulnerabilities exploited in the wild during 2024. Over 50% of these exploits targeted zero-days used in spyware attacks. While browser exploits fell by one-third (to 11), desktop OS exploits rose (Windows reaching 22 exploited zero-days). Crucially, exploitation efforts shifted towards enterprise environments, with 44% of zero-days targeting business products. Security and networking appliances accounted for over 60% of enterprise-targeted exploits, indicating attackers prioritized single points of failure for broad access.
## Exploitation
- Status: Exploited in the wild (97 observed cases)
- Complexity: Varies, but trend suggests shifts impacting different complexity levels based on target (e.g., specific security appliances vs. browser flaws).
- Attack Vector: Varies significantly, including Internet-facing appliances (Network) and general OS/browser interaction (Network/Local).
## Impact
The impact varies for each specific zero-day, but categorized impacts observed across the 97 exploited flaws include:
- Confidentiality: High (Especially with spyware targeting)
- Integrity: High (Ability to push software/system changes)
- Availability: Moderate to High (Depends on the targeted system/device)
## Remediation
### Patches
No universal patch is available as this covers multiple distinct vendor vulnerabilities. Remediation efforts must focus on applying vendor-specific patches for the specific CVEs that have since been disclosed, particularly for the following vendors mentioned as targets:
- Ivanti (for Cloud Services Appliance and Connect Secure VPN)
- Cisco (for Adaptive Security Appliance)
- Palo Alto Networks (for PAN-OS)
### Workarounds
Since the focus is on *already exploited* flaws, immediate workarounds involve isolating or segmenting high-value enterprise targets (like security appliances) until vendor patches can be applied. Vendors' mitigation efforts are noted as having some success in reducing exploitation of historically popular products.
## Detection
- Indicators of Compromise: Varies by the specific exploit payload (spyware, etc.) associated with the zero-day.
- Detection methods and tools: Organizations should prioritize monitoring network perimeter devices (VPNs, Firewalls) and endpoints for novel or unexpected process executions, especially those bypassing traditional security controls, which characterize zero-day exploitation. Regular updates to threat intelligence feeds are critical to catch signatures for known payloads derived from these exploits.
## References
- GTIG published report via Google Cloud Blog: hxxps://cloud.google.com/blog/topics/threat-intelligence/2024-zero-day-trends