Nation-State Threat Actors Exploited Zero Days The Most In 2022

Threat groups with ties to nation-states were the driving force behind exploiting zero-day vulnerabilities last year, according to a new report by cybersecurity firm Mandiant.

Cyberespionage groups linked to China were responsible for over 50% of the exploits in 2022 that the firm said it could confidently track to 13 advanced persistent threat groups (APTs), followed by Russia and North Korea. Overall, groups with links to nation-states accounted for 80% of the zero-day exploits.

Groups with ties to China led the pack with seven known vulnerabilities exploited last year, with Russia and North Korea tied with two each. Four zero-days were tied to financially motivated actors, with 75% likely performed by ransomware groups.

The total number of 55 zero-day vulnerabilities exploited last year is down 26 from the record 81 Mandiant tracked in 2021, but that figure is still triple the 2020 total.

Mandiant considers a zero-day to be a vulnerability if it was exploited in the wild before a patch was made publicly available. The report examined zero-day events identified by Mandiant, combined with reporting from open sources.

Mandiant researchers highlighted three Chinese-linked APT campaigns exploiting the Follina vulnerability (CVE-2022-30190), as well as FortiOS vulnerabilities (CVE-2022-42475 and CVE-2022-41328) for their focus on enterprise networking and security devices.

Because of their ubiquity, zero-days in Microsoft, Google and Apple products were used the most to gain elevated privileges or perform remote code executions (RCEs). Microsoft vulnerabilities led the pack with 18, followed by Google (10 vulnerabilities) and Apple (9 vulnerabilities).

Operating systems (OS) were the most exploited products at 19; followed by browsers (11); security, IT and network management products (10); and mobile OS (6).

Devices running Windows were by far the most exploited OS with 15 vulnerabilities, followed by Apple’s macOS with four. Google’s Chrome browser was the most exploited with nine of the 11 browser vulnerabilities.