The number of zero-day exploit discoveries hit record numbers in 2021, according to Google Project Zero. Instances of “in-the-wild 0-days” were up nearly double versus 2020, when only 25 0-day exploits were detected. In 2021, the total was 58.
Maddie Stone, Google Project Zero security researcher, noted that these figures include 0-day exploits that have been detected and disclosed as in-the-wild versus 0-day exploits used in-the-wild. In other words, Stone notes in a recent Project Zero update, “the large uptick in in-the-wild 0-days in 2021 is due to increased detection and disclosure of these 0-days, rather than simply increased usage of 0-day exploits.”
Google reports that the detected exploits were on the whole similar to previous and publicly known vulnerabilities — only two were markedly different, employing more technical sophistication and the use of logic bugs to “escape the sandbox.” These two unique exploits focused on FORCEDENTRY, a zero-click iMessage exploit attributed to an Israeli surveillanceware company.
The report classifies 39 of the 58 in-the-wild 0-days observed in 2021 as memory corruption vulnerabilities:
- 17 were memory corruption vulnerabilities where the bugs stemmed as a consequence of use-after-free
- 6 were out-of-bounds read and write
- 4 were buffer overflow
- 4 were integer overflow
Project Zero’s latest finds also reveal an unsettling trend toward in-the-wild exploits of 0-day flaws in messaging services like WhatsApp and Telegram and via components like CPU cores, Wi-Fi chips and the cloud. Stone questions whether these specific 0-days are absent due to lack of detection, disclosure, or both. “As an industry, we’re not making 0-day hard,” she writes. “Attackers are having success using vulnerabilities similar to what we’ve seen previously and in components that have previously been discussed as attack surfaces.”
The goal, Stone writes, is to “force attackers to start from scratch each time we detect one of their exploits: they’re forced to discover a whole new vulnerability, they have to invest the time in learning and analyzing a new attack surface, they must develop a brand new exploitation method.”
Third-Wave AI vs. Zero-Day Attacks
The stark reality is that many of the systems protecting organizations today are based on legacy, second-wave AI, rules-based approaches that leave them vulnerable to dynamically changing attack signatures. It’s simply not possible to train a machine learning model to detect threats that don’t exist in the historical record. Ultimately, these security solutions either block an excessive number of legitimate behaviors, reducing the capabilities of network users to perform their job functions.
MixMode utilizes a proprietary, third-wave AI approach capable of understanding changing environments based on contextual information. The platform can observe the totality of available information to detect unusual or anomalous behavior, reducing false positives and quickly surfacing and shutting down true threats.
MixMode is the ideal solution for thwarting modern security threats, including the exploits addressed in Google Project Zero’s latest report. Because the platform constantly adapts to new and changing network conditions, hackers have an incredibly complex challenge in trying to “trick” protected systems, including hackers using modern machine learning penetration models.