Google-owned cybersecurity firm Mandiant has conducted an analysis of the zero-day vulnerabilities disclosed in 2022, finding that 55 of them were exploited in attacks. The company only included vulnerabilities that were exploited in the wild before a patch was released in its analysis. This number represents a significant drop from the 81 zero-day vulnerabilities discovered in 2021 but is still higher than any other previous year.
Over a dozen of the zero-day vulnerabilities found in 2022 were linked to cyberespionage groups. Of those attributed, 13 were associated with such groups, including seven believed to have been exploited by Chinese state-sponsored groups. Chinese hackers targeted vulnerabilities such as CVE-2022-30190 (the Windows flaw known as Follina), and CVE-2022-42475 and CVE-2022-41328 (Fortinet product vulnerabilities). Two of the zero-days were attributed to state-sponsored threat actors linked to North Korea and two were tied to Russia. Three vulnerabilities were exploited by commercial spyware vendors such as Candiru and Variston. One flaw was seen being exploited by both China and Russia, as well as spyware vendors.
Four of the zero-days discovered in 2022 were likely exploited by financially motivated threat actors, including CVE-2022-29499 (by Lorenz ransomware), and CVE-2022-41091 and CVE-2022-44698 (by Magniber ransomware). Out of the 55 zero-days that emerged in 2022, 18 impacted Microsoft products, 10 impacted Google products, and 9 were found in Apple products. Other affected vendors included Fortinet, Mozilla, Sophos, Trend Micro, Zimbra, Adobe, Atlassian, Cisco, Mitel, SolarWinds, Zoho, QNAP, and Citrix. As for product types, 19 flaws impacted desktop operating systems, followed by browsers (11), security, IT and network management products (10), and mobile operating systems (6).
Mandiant noted, “Almost all 2022 zero-day vulnerabilities (53) were exploited for the purpose of achieving either (primarily remote) code execution or gaining elevated privileges, both of which are consistent with most threat actor objectives.” The full report from Mandiant also provides additional details, including information on why temporary workarounds can cause defender fatigue.