Why more zero-day vulnerabilities are being found in the wild | #ios | #apple | #iossecurity


The number of zero-days exploited in the wild has been high over the past year and a half, with different kinds of actors using them. These vulnerabilities, which are unknown to the software maker, are leveraged by both state-sponsored groups and ransomware gangs.

During the first half of this year, Google Project Zero counted almost 20 zero-days, most of which target products built by Microsoft, Apple and Google, with browsers and operating systems taking up large chunks. In addition, a critical remote code execution vulnerability was found in Atlassian’s Confluence Server, which continues to be exploited. But in 2021, the number of in-the-wild zero-days was even higher. Project Zero found 58 vulnerabilities, while Mandiant detected 80–more than double compared to 2020.

“Every zero-day we identify increases our understanding of what is possible and better enables us to find similar vulnerabilities in the same or other pieces of technology,” says James Sadowski, principal analyst at Mandiant. “The more we see, the more we can detect.”

Nation-state groups continue to lead the exploits game, but cybercriminals are catching up. About one in three actors using zero-days last year was financially motivated, according to Mandiant.

The rise in zero-day exploits and the various types of actors using them can be a cause of concern for organizations regardless of their size. On the flip side, it can also provide valuable learning opportunities for the security industry.

Most zero-days follow old patterns

Although the number of zero-days is at record levels, in reality it could be even bigger. “Since attackers don’t share all their zero-days with us, the best number we can track is the zero-days detected and disclosed as in-the-wild, rather than the number that are used,” Maddie Stone, security researcher at Google Project Zero, says.

Copyright © 2022 IDG Communications, Inc.



Original Source link

Leave a Reply

Your email address will not be published.

twenty four − 22 =