Google has published the 2021 review of Project Zero, revealing a record amount of zero-days exploits (labeled as “one of the most advanced attack methods”) exhibited by some of the world’s largest technology companies.
Project Zero is an initiative started by Google in 2014 aimed at detailing security defects known as zero-day exploits. These vulnerabilities are dangerous as they essentially remain undetected unless a mitigation system has been implemented, thus leaving systems, databases, and the like completely exposed to hackers.
The end-of-year report for 2021 confirmed that 58 zero-day exploits were discovered. That’s the highest amount detected since Project Zero’s inception — 2015 was the previous record holder with a total of 28 digital exploits.
Comparatively, at the height of the pandemic that saw hackers intensify their efforts in malicious cybercrime activity, Google’s security team disclosed 25 security flaws during 2020.
Google stressed that the record 58 zero-day exploits that were publicly detailed aren’t necessarily an indication of “increased usage of zero-day exploits.” On the contrary, the company ascribes it to the “increased detection and disclosure of these zero-days.”
“It’s highly likely that in 2021, there were other zero-days that were exploited in the wild and detected, but vendors did not mention this in their release notes. In 2022, we hope that more vendors start noting when they patch vulnerabilities that have been exploited in the wild. Until we’re confident that all vendors are transparently disclosing in the wild status, there’s a big question of how many in the wild zero-days are discovered, but not labeled publicly by vendors.”
The report’s first zero-day exploit that was analyzed involved Google’s very own Chromium, which provides the open-source code for its Chrome browser.
Chromium saw a record high 14 zero-day bugs. Among the exploits were 10 remote code execution bugs, 2 sandbox escapes, and 1 infoleak. The final zero-day bug resulted in hackers attempting to open a webpage in Android-based apps instead of Chrome.
Elsewhere, seven Android zero-days were identified — quite a big jump from the single exploit found in 2019, which incidentally was the only other discovery by the Project Zero team pertaining to Google’s mobile operating system.
Apple, iOS, MacOS, and Windows
Google also mentioned WebKit, which is Apple’s web browser engine that powers Safari. According to Google, before 2021, Apple only revealed one public zero-day exploit that was designed to infiltrate WebKit/Safari. Even then, the disclosure materialized via a third-party researcher’s study.
However, in 2021, there were seven zero-days associated with Apple’s web browser, four of which were involved Safari’s Javascript Engine component.
Breaking away from the technology giant’s previously secretive nature when it came to detailing 0-day exploits, “2021 was the first full year that Apple annotated their release notes with in the wild status of vulnerabilities.”
To this end, five iOS zero-days were confirmed by Apple, while the first publicly discovered MacOS zero-day was uncovered as well.
Apple places huge importance on its security measures for iOS and Mac-based systems. After all, it gave a student $100,000 for hacking the latter.
As for Microsoft, Google detailed 10 Windows zero-days that targeted seven separate elements, including Enhanced crypto provider (no surprise there, of course), NTOS kernel, and Win32k.
“Windows is the platform where we’ve seen the most change in components targeted compared with previous years. However, this shift has generally been in progress for a few years and predicted with the end-of-life of Windows 7 in 2020 and thus why it’s still not especially novel,” Google said.
Windows 11 was also subjected to a zero-day hack after its launch. Microsoft, however, doesn’t pay as handsomely as Apple when it comes to bug discoveries in some cases: Payouts have apparently been reduced to $1,000 from $10,000.
Furthermore, during 2021, five zero-days connected to Microsoft Exchange Server were found. “This is the first time any Exchange Server in the wild zero-days have been detected and disclosed since we began tracking in the wild zero-days,” the report added.
Hackers stick to tried-and-tested methods
Within the report’s New Year, Old Techniques section, Google emphasized that despite the record number of “data points” in 2021 “to understand how attackers are actually using zero-day exploits,” it was actually surprised that it recognized all that data — “there was nothing new.”
“Zero-day exploits are considered one of the most advanced attack methods an actor can use, so it would be easy to conclude that attackers must be using special tricks and attack surfaces. But instead, the zero-days we saw in 2021 generally followed the same bug patterns, attack surfaces, and exploit “shapes” previously seen in public research.
About 67% of the 58 zero-day exploits were memory corruption vulnerabilities. Google said this shouldn’t come as too much of a surprise when you consider the fact that this specific category is the go-to method for finding a way into software “for the last few decades,” and it’s largely the reason attackers continue to successfully gain access to its targets.
Google capped its report with a statement on the impact of zero-day exploits and the consequences of a successful attack.
“While the majority of people on the planet do not need to worry about their own personal risk of being targeted with zero-days, zero-day exploitation still affects us all. These zero-days tend to have an outsized impact on society, so we need to continue doing whatever we can to make it harder for attackers to be successful in these attacks. 2021 showed us we’re on the right track and making progress, but there’s plenty more to be done to make zero-day hard.”
With the world becoming more digital and technology-driven than ever before, cybercriminals are making billions of dollars by exploiting individuals.
With an increase in cyber crime across the board, nearly $7 billion was stolen from people last year, which is largely attributed to certain crime types such as personal data breach (clean up your passwords) and ransomware.