Experts found a record number of zero-day hacks in 2021 – Digital Technology Channels Press "Enter" to skip to content

Experts found a record number of zero-day hacks in 2021

Google has published the 2021 review of Project Zero, revealing a record amount of zero-days exploits (labeled as “one of the most advanced attack methods”) exhibited by some of the world’s largest technology companies.

Project Zero is an initiative started by Google in 2014 aimed at detailing security defects known as zero-day exploits. These vulnerabilities are dangerous as they essentially remain undetected unless a mitigation system has been implemented, thus leaving systems, databases, and the like completely exposed to hackers.

Digital Trends Graphic

The end-of-year report for 2021 confirmed that 58 zero-day exploits were discovered. That’s the highest amount detected since Project Zero’s inception — 2015 was the previous record holder with a total of 28 digital exploits.

Comparatively, at the height of the pandemic that saw hackers intensify their efforts in malicious cybercrime activity, Google’s security team disclosed 25 security flaws during 2020.

Google stressed that the record 58 zero-day exploits that were publicly detailed aren’t necessarily an indication of “increased usage of zero-day exploits.” On the contrary, the company ascribes it to the “increased detection and disclosure of these zero-days.”

The report’s first zero-day exploit that was analyzed involved Google’s very own Chromium, which provides the open-source code for its Chrome browser.

Chromium saw a record high 14 zero-day bugs. Among the exploits were 10 remote code execution bugs, 2 sandbox escapes, and 1 infoleak. The final zero-day bug resulted in hackers attempting to open a webpage in Android-based apps instead of Chrome.

Elsewhere, seven Android zero-days were identified — quite a big jump from the single exploit found in 2019, which incidentally was the only other discovery by the Project Zero team pertaining to Google’s mobile operating system.

Apple, iOS, MacOS, and Windows

Google also mentioned WebKit, which is Apple’s web browser engine that powers Safari. According to Google, before 2021, Apple only revealed one public zero-day exploit that was designed to infiltrate WebKit/Safari. Even then, the disclosure materialized via a third-party researcher’s study.

However, in 2021, there were seven zero-days associated with Apple’s web browser, four of which were involved Safari’s Javascript Engine component.

Breaking away from the technology giant’s previously secretive nature when it came to detailing 0-day exploits, “2021 was the first full year that Apple annotated their release notes with in the wild status of vulnerabilities.”

To this end, five iOS zero-days were confirmed by Apple, while the first publicly discovered MacOS zero-day was uncovered as well.

Apple places huge importance on its security measures for iOS and Mac-based systems. After all, it gave a student $100,000 for hacking the latter.

As for Microsoft, Google detailed 10 Windows zero-days that targeted seven separate elements, including Enhanced crypto provider (no surprise there, of course), NTOS kernel, and Win32k.

“Windows is the platform where we’ve seen the most change in components targeted compared with previous years. However, this shift has generally been in progress for a few years and predicted with the end-of-life of Windows 7 in 2020 and thus why it’s still not especially novel,” Google said.

Windows 11 was also subjected to a zero-day hack after its launch. Microsoft, however, doesn’t pay as handsomely as Apple when it comes to bug discoveries in some cases: Payouts have apparently been reduced to $1,000 from $10,000.

Furthermore, during 2021, five zero-days connected to Microsoft Exchange Server were found. “This is the first time any Exchange Server in the wild zero-days have been detected and disclosed since we began tracking in the wild zero-days,” the report added.

Hackers stick to tried-and-tested methods

Within the report’s New Year, Old Techniques section, Google emphasized that despite the record number of “data points” in 2021 “to understand how attackers are actually using zero-day exploits,” it was actually surprised that it recognized all that data — “there was nothing new.”

About 67% of the 58 zero-day exploits were memory corruption vulnerabilities. Google said this shouldn’t come as too much of a surprise when you consider the fact that this specific category is the go-to method for finding a way into software “for the last few decades,” and it’s largely the reason attackers continue to successfully gain access to its targets.

Google capped its report with a statement on the impact of zero-day exploits and the consequences of a successful attack.

With the world becoming more digital and technology-driven than ever before, cybercriminals are making billions of dollars by exploiting individuals.

With an increase in cyber crime across the board, nearly $7 billion was stolen from people last year, which is largely attributed to certain crime types such as personal data breach (clean up your passwords) and ransomware.

Be First to Comment

Leave a Reply

Your email address will not be published.