In 2021, Mandiant Threat Intelligence identified 80 zero-days exploited in the wild, which is more than double the previous record volume in 2019. State-sponsored groups continue to be the primary actors exploiting zero-day vulnerabilities, led by Chinese groups. The proportion of financially motivated actors—particularly ransomware groups—deploying zero-day exploits also grew significantly, and nearly 1 in 3 identified actors exploiting zero-days in 2021 was financially motivated. Threat actors exploited zero-days in Microsoft, Apple, and Google products most frequently, likely reflecting the popularity of these vendors. The vast increase in zero-day exploitation in 2021, as well as the diversification of actors using them, expands the risk portfolio for organizations in nearly every industry sector and geography, particularly those that rely on these popular systems.

Scope Note

Mandiant analyzed more than 200 zero-day vulnerabilities that we identified as exploited in the wild from 2012 to 2021. Mandiant considers a zero-day to be a vulnerability that was exploited in the wild before a patch was made publicly available. We examined zero-day exploitation identified in Mandiant original research, breach investigation findings, and open sources, focusing on zero-days exploited by named groups. While we believe these sources are reliable as used in this analysis, we cannot confirm the findings of some sources. Due to the ongoing discovery of past incidents through digital forensic investigations, we expect that this research will remain dynamic and may be supplemented in the future.

Zero-Day Exploitation Reaches All-Time High in 2021

Zero-day exploitation increased from 2012 to 2021, as shown in Figure 1, and Mandiant Threat Intelligence expects the number of zero-days exploited per year to continue to grow. By the end of 2021, we identified 80 zero-days exploited in the wild, which is more than double the previous record of 32 in 2019.

We suggest that a number of factors contribute to growth in the quantity of zero-days exploited. For example, the continued move toward cloud hosting, mobile, and Internet-of-Things (IoT) technologies increases the volume and complexity of systems and devices connected to the internet—put simply, more software leads to more software flaws. The expansion of the exploit broker marketplace also likely contributes to this growth, with more resources being shifted toward research and development of zero-days, both by private companies and researchers, as well as threat groups. Finally, enhanced defenses also likely allow defenders to detect more zero-day exploitation now than in previous years, and more organizations have tightened security protocols to reduce compromises through other vectors.

State-Sponsored Groups Still Dominate, but Financially Motivated Zero-Day Exploitation Also Growing

State-sponsored espionage groups continue to be the primary actors exploiting zero-day vulnerabilities, although the proportion of financially motivated actors deploying zero-day exploits is growing (Figure 2). From 2014–2018, we observed only a small proportion of financially motivated actors exploit zero-day vulnerabilities, but by 2021, roughly one third of all identified actors exploiting zero-days were financially motivated. We also noted new threat clusters exploit zero-days, but we do not yet have sufficient information about some of these clusters to assess motivation.

Chinese Groups Consistently Lead State Zero-Day Exploitation

In line with our previous analysis, Mandiant identified the highest volume of zero-days exploited by suspected Chinese cyber espionage groups in 2021, and espionage actors from at least Russia and North Korea actively exploited zero-days in 2021 (Figure 3). From 2012 to 2021, China exploited more zero-days than any other nation. However, we observed an increase in the number of nations likely exploiting zero-days, particularly over the last several years, and at least 10 separate countries likely exploited zero-days since 2012.

• From January to March 2021, Mandiant observed multiple Chinese espionage activity clusters exploiting four zero-day Exchange server vulnerabilities collectively known as the ProxyLogon vulnerabilities. Microsoft described activity linked to this campaign as "Hafnium."
  • While some of the threat clusters involved appeared to carefully select targets, other clusters compromised tens of thousands of servers in virtually every vertical and region.
  • Chinese cyber espionage operations in 2020 and 2021 suggest that Beijing is no longer deterred by formal government statements and indictments from victimized countries. In addition to the resurgence of previously dormant cyber espionage groups indicted by the U.S. Department of Justice (DOJ), Chinese espionage groups have become increasingly brash.

In a sharp departure since 2016 and 2017, we did not identify any zero-days exploited by Russian GRU-sponsored APT28 until they likely exploited a zero-day in Microsoft Excel in late 2021. However, open-source reporting indicated that other Russian state-sponsored actors exploited several zero-days in 2020 and 2021, including during likely Russian TEMP.Isotope's activity possibly targeting critical infrastructure networks with a zero-day in a Sophos firewall product.

Third Party Vendors Grow into Significant Exploit Brokers

Since late 2017, Mandiant has noted a significant increase in the number of zero-days leveraged by groups that are known or suspected to be customers of private companies that supply offensive cyber tools and services.

• We identified at least six zero-day vulnerabilities actively exploited in 2021, potentially by customers of malware vendors, including one reportedly exploited in tools developed by two separate vendors. In 2021, at least five zero-day vulnerabilities were reportedly exploited by an Israeli commercial vendor.

Zero-Day Exploitation Linked to Ransomware Operations

Since 2015, we observed a sharp decline in zero-day vulnerabilities included in criminal exploit kits, likely due to several factors including the arrests of prominent exploit developers. However, as the criminal underground coalesced around ransomware operations, we observed an uptick in ransomware infections exploiting zero-day vulnerabilities since 2019. This trend may indicate that these sophisticated ransomware groups are beginning to recruit or purchase the requisite skills to exploit zero-days that may have been formerly developed for exploit kits.

Mandiant has documented significant growth in ransomware in terms of both quantity and impact. Substantial profits as well as the increasingly compartmentalized, outsourced, and professional ecosystem that supports ransomware have provided operators with two viable pathways to zero-day exploit development and/or acquisition: financial resources and actor sophistication.

• We observed at least two instances in which separate threat actors exploited flaws in separate VPN appliances to obtain access to the victim networks and subsequently deploy ransomware in 2021.

Popular Vendors Are Popular Targets for Zero-Day Exploitation

We analyzed zero-days from 12 separate vendors in 2021, with vulnerabilities in Microsoft, Apple, and Google products comprising 75% of total zero-day vulnerabilities (Figure 4), likely as a result of the popularity of these products among enterprises and users across the globe. The threat from exploitation of these major providers remains significant, given their prevalence. In addition, we noted a growing variety in vendors being targeted, which can complicate patch prioritization and make it more difficult for organizations who can no longer focus on just one or two vendors as priorities.

From 2012 to 2017, Adobe was the second most exploited vendor, with nearly 20% of all zero-days exploiting Adobe Flash alone. We observed a significant drop in Adobe exploitation since then, almost certainly fueled by Flash's end-of-life.

Outlook

We suggest that significant campaigns based on zero-day exploitation are increasingly accessible to a wider variety of state-sponsored and financially motivated actors, including as a result of the proliferation of vendors selling exploits and sophisticated ransomware operations potentially developing custom exploits. The marked increase in exploitation of zero-day vulnerabilities, particularly in 2021, expands the risk portfolio for organizations in nearly every industry sector and geography. While exploitation peaked in 2021, there are indications that the pace of exploitation of new zero-days slowed in the latter half of the year; however, zero-day exploitation is still occurring at an elevated rate compared to previous years.

Implications for Patch Prioritization

Many organizations continue to struggle to effectively prioritize patching to minimize exploitation risks. We believe it is important for organizations to build a defensive strategy that prioritizes the types of threats that are most likely to impact their environment and the threats that could cause the most damage, starting with the relatively fewer amount of actively exploited vulnerabilities. When organizations have a clear picture of the spectrum of threat actors, malware families, campaigns, and tactics that are most relevant to their organization, they can make more nuanced prioritization decisions when those threats are linked to active exploitation of vulnerabilities. A lower risk vulnerability that is actively being exploited in the wild against your organization or similar organizations likely has a greater potential impact to you than a vulnerability with a higher rating that is not actively being exploited. A new CISA directive places a significant focus on those vulnerabilities that are reportedly actively exploited; we believe this will help increase the security posture and strengthen the patch management procedures.

While zero-day exploitation is expanding, malicious actors also continue to leverage known vulnerabilities, often soon after they have been disclosed. Therefore, security may be improved by continuing to incorporate lessons from past targeting and an understanding of the standard window between disclosure and exploitation. Furthermore, even if an organization is unable to apply the mitigations before targeting occurs, it can still provide further insight into the urgency with which these systems need to be patched. Delays in patching only compound the risk that an organization supporting unpatched or unmitigated software will be affected.

Acknowledgements

This research drew on the expertise of many collaborators across Mandiant, including the excellent work from Mandiant's Vulnerability & Exploitation Team. Special thanks to Kelli Vanderlee, Jared Semrau, Bavi Sadayappan, and Sean Fahey for their contributions to this analysis.