6/11/22, 1:49 AM Hackers Are Getting Caught Exploiting Zero-Day Bugs More Than Ever | WIRED
LILY HAY NEWMAN SECURITY APR 21, 2022 10:00 AM
Hackers Are Getting Caught Exploiting New Bugs More
Than Ever
A pair of reports from Mandiant and Google found a spike in exploited zero-day vulnerabilities in
2021. The question is, why?
https://www.wired.com/story/zero-day-exploits-vulnerabilities-google-mandiant/ 1/6
�6/11/22, 1:49 AM Hackers Are Getting Caught Exploiting Zero-Day Bugs More Than Ever | WIRED
ILLUSTRATION: SAM WHITNEY
P R E V I O U S LY U N K N OW N “ zero-day” software vulnerabilities are mysterious and intriguing as a concept. But
they're even more noteworthy when hackers are spotted actively exploiting the novel software flaws in the wild
before anyone else knows about them. As researchers have expanded their focus to detect and study more of this
exploitation, they're seeing it more often. Two reports this week from the threat intelligence firm Mandiant and
Google's bug hunting team, Project Zero, aim to give insight into the question of exactly how much zero-day
exploitation has grown in recent years.
Mandiant and Project Zero each have a different scope for the types of zero-days they track. Project Zero, for
example, doesn't currently focus on analyzing flaws in internet-of-things devices that are exploited in the wild. As
a result, the absolute numbers in the two reports aren't directly comparable, but both teams tracked a record high
number of exploited zero-days in 2021. Mandiant tracked 80 last year compared to 30 in 2020, and Project Zero
tracked 58 in 2021 compared to 25 the year before. The key question for both teams, though, is how to
contextualize their findings, given that no one can see the full scale of this clandestine activity.
“We started seeing a spike early in 2021,and a lot of the questions I was getting all through the year were, ‘What
the heck is going on?!’” says Maddie Stone, a security researcher at Project Zero. “My first reaction was, ‘Oh my
goodness, there’s so much.’ But when I took a step back and looked at it in the context of previous years, to see
such a big jump, that growth actually more likely is due to increased detection, transparency, and public
https://www.wired.com/story/zero-day-exploits-vulnerabilities-google-mandiant/ 2/6
�6/11/22, 1:49 AM Hackers Are Getting Caught Exploiting Zero-Day Bugs More Than Ever | WIRED
gj p, g y y , p y, p
knowledge about zero-days.”
Before a software vulnerability is publicly disclosed, it's called a “zero-day,” because there have been zero days in
which the software maker could have developed and released a patch and zero days for defenders to start
monitoring the vulnerability. In turn, the hacking tools that attackers use to take advantage of such vulnerabilities
are known as zero-day exploits. Once a bug is publicly known, a fix may not be released immediately (or ever),
but attackers are on notice that their activity could be detected or the hole could be plugged at any time. As a
result, zero-days are highly coveted, and they are big business for both criminals and, particularly, government-
backed hackers who want to conduct both mass campaigns and tailored, individual targeting.
Zero-day vulnerabilities and exploits are typically thought of as uncommon and rarified hacking tools, but
governments have been repeatedly shown to stockpile zero-days, and increased detection has revealed just how
often attackers deploy them. Over the past three years, tech giants like Microsoft, Google, and Apple have started
to normalize the practice of noting when they're disclosing and fixing a vulnerability that was exploited before
the patch release.
While awareness and detection efforts have increased, James Sadowski, a researcher at Mandiant, emphasizes
that he does see evidence of a shift in the landscape.
“There are definitely more zero-days being used than ever before,” he says. “The overall count last year for 2021
shot up, and there are probably a couple of factors that contributed, including the industry's ability to detect this.
But there's also been a proliferation of these capabilities since 2012,” the year that Mandiant's report looks back
to. “There's been a significant expansion in volume as well as the variety of groups exploiting zero-days,” he says.
If zero-days were once the domain of elite government-backed hacking groups, they have been democratized,
Sadowski says. Financially motivated digital-crime groups, some of which employ highly skilled hackers, have
https://www.wired.com/story/zero-day-exploits-vulnerabilities-google-mandiant/ 3/6
�6/11/22, 1:49 AM Hackers Are Getting Caught Exploiting Zero-Day Bugs More Than Ever | WIRED
now been spotted using zero-days as well, at times for both traditional finance scams and other attacks like
ransomware. And the rise of so-called “exploit brokers,” an industry that sells information about zero-days and,
typically, a corresponding exploit, have enabled anyone with enough money to wield zero-days for their own
purposes.
For all types of actors, a lot of bread-and-butter hacking still involves exploiting vulnerabilities that became
public long ago but haven't been patched consistently. Zero-days are still less common. But by tracking which
zero-days have already been actively exploited, defenders can prioritize deploying certain patches and
mitigations in the endless stream of updates that need to be done.
Project Zero's Stone also emphasizes that while it's difficult to get a full sense of scale and context about exploited
zero-days, studying those that have been detected helps shed light on how software developers and
cybersecurity practitioners can do a better job securing products in the future. Her research showed, for example,
that many of the zero-days that were exploited in the wild in 2021 “weren't all that special,” as she puts it. This
means that when companies patch a vulnerability or write new code, they could be doing a better job hunting for
known classes of vulnerabilities and cutting off classic attack routes, so there are fewer easy bugs for attackers to
find and exploit.
“When we look at all these vulnerabilities, they look a lot like previous vulnerabilities that people have seen
before and that are publicly discussed in research,” Stone says. “And that’s not what we want. We want attackers
to have to come up with a brand-new vulnerability, all new things from the beginning to the end, rather than
being able to look at code patterns or copy and paste. The hope is to continue raising that bar.”
While the security industry scrambles to figure out how to make that happen, attackers are creating more
incidents to analyze all the time in 2022.
https://www.wired.com/story/zero-day-exploits-vulnerabilities-google-mandiant/ 4/6
�6/11/22, 1:49 AM Hackers Are Getting Caught Exploiting Zero-Day Bugs More Than Ever | WIRED
More Great WIRED Stories
📩 The latest on tech, science, and more: Get our newsletters!
This startup wants to watch your brain
The artful, subdued translations of modern pop
Netflix doesn't need a password-sharing crackdown
How to revamp your workflow with block scheduling
The end of astronauts—and the rise of robots
👁️Explore AI like never before with our new database
✨ Optimize your home life with our Gear team’s best picks, from robot vacuums to affordable mattresses
to smart speakers
Lily Hay Newman is a senior writer at WIRED focused on information security, digital privacy, and hacking. She previously worked as a
technology reporter at Slate magazine and was the staff writer for Future Tense, a publication and project of Slate, the New America
Foundation, and Arizona State University. Additionally... Read more
SENIOR WRITER
TOPICS MALWARE SECURITY HACKING VULNERABILITIES
https://www.wired.com/story/zero-day-exploits-vulnerabilities-google-mandiant/ 5/6
�6/11/22, 1:49 AM Hackers Are Getting Caught Exploiting Zero-Day Bugs More Than Ever | WIRED
One year for $29.99 $10 SUBSCRIBE
Get WIRED
https://www.wired.com/story/zero-day-exploits-vulnerabilities-google-mandiant/ 6/6
