A new Google report reveals a record high of 48% of tracked zero-day vulnerabilities in 2023 targeted enterprise technologies, with half of those exploiting the security and networking devices designed to protect corporate networks. Hackers frequently targeted products from vendors like Cisco, Fortinet, Ivanti, and VMware, exploiting common flaws to breach defenses.
The remaining enterprise zero-days involved other software, such as Oracle's E-Business Suite, which was exploited in a campaign stealing HR data from major organizations. The other 52% of zero-days affected consumer products from companies like Microsoft, Google, and Apple, primarily in operating systems.
The report also noted a shift, with more zero-days attributed to commercial surveillance vendors selling hacking tools to governments than to traditional state-backed espionage groups.
Main topics: Enterprise cybersecurity threats, zero-day vulnerabilities, targeted vendors and attack methods, consumer software vulnerabilities, the rise of commercial surveillance vendors.
A new report by Google found that about half of the zero-day bugs it tracked last year exploited enterprise devices, marking a new high for hackers who are increasingly finding new ways to target large companies and steal their data.
According to the search and security giant’s annual report, 48% of the tracked zero days — vulnerabilities in software that are unknown to its maker at the time they are exploited — were found in technologies used by corporations and large businesses. About half of those zero-days exploited the very devices that are designed to protect enterprise networks from digital intruders.
Google said security and networking devices, such as firewalls made by Cisco and Fortinet, and VPN and virtualization platforms like Ivanti and VMWare, were among the top targeted vendors last year. All four of the companies said hackers have exploited their products on customer networks in recent months.
Google’s researchers said that hackers exploited common flaws, like input validation and incomplete authorization processes, to break through firewall and VPN defenses to gain access to customer networks. These classes of bugs are generally easier to exploit, but generally require a software update to fix.
The company also pointed to other buggy software that makes up the remaining half of enterprise zero-days. Google noted the Clop extortion gang’s campaign against Oracle E-Business Suite customers, which allowed hackers to walk away with reams of human resources data from dozens of companies about their staff and executives. The hacks affected Harvard University, the American Airlines subsidiary Envoy, and The Washington Post, among others.
The remaining 52% of zero-day bugs were found in consumer and end-user products, such as those made by Microsoft, Google, and Apple, according to the report. Most of the zero-days in consumer software were found in operating systems, with mobile devices also seeing more zero-days than in previous years.
Google said it also attributed more zero-days to surveillance vendors than traditional government-backed espionage groups. Surveillance vendors are typically spyware makers and exploit developers, which work on behalf of governments to hack into people’s phones. Google said this shift demonstrated “a slow but sure movement in the landscape” in how governments seek access to hacking tools.
Meridiano
