Enterprise Security In The Crosshairs: Google Reveals Key Zero-Day Exploitation Trends For 2024
The Google Threat Intelligence Group (GTIG) has released its latest annual analysis of zero-day vulnerabilities, revealing a shift in cybercriminal focus toward enterprise technologies, while overall zero-day exploitation remains on an upward trend.
In its report 'Hello 0-Days, My Old Friend: A 2024 Zero-Day Exploitation Analysis,' GTIG tracked 75 zero-day vulnerabilities that were exploited in the wild last year. While that figure marks a decrease from 98 in 2023, it remains higher than the 63 vulnerabilities recorded in 2022—continuing a four-year trend of gradual growth.
A zero-day is defined as a software vulnerability that is exploited before the affected vendor has released a patch. These flaws are highly sought after by both nation-state actors and financially motivated cybercriminals due to the stealth and system access they can provide.
Enterprise Tech in the Firing Line
In a notable shift, 2024 saw a significant increase in zero-day exploitation targeting enterprise-focused technologies. These include security software, network appliances, and business infrastructure tools. GTIG found that 44% of all tracked zero-days in 2024 targeted enterprise technologies—up from 37% in 2023.
'Security and networking products are emerging as prime targets because of the far-reaching access they offer,' the report states. Twenty of the 33 enterprise-focused vulnerabilities identified in 2024 were in these categories, including widely used platforms from Ivanti, Palo Alto Networks, and Cisco.
While the absolute number of exploited enterprise vulnerabilities dropped slightly from the previous year, the proportional increase signals a deeper trend: attackers are prioritising systems that offer expansive access and limited monitoring, particularly where endpoint detection tools may not be effective.
Browsers and Mobiles See Decline
In contrast, the report observed a marked decrease in zero-day exploitation of browsers and mobile devices—down by about one-third and one-half respectively. Exploitation of the Chrome browser remained most common among end-user platforms, with Android devices continuing to be compromised via flaws in third-party components.
Microsoft Windows saw a continued rise in exploitation, with 22 zero-days tracked in 2024, compared to 16 in 2023 and 13 in 2022. GTIG anticipates that Windows will remain a persistent target due to its dominance across home and professional environments.
Espionage Remains a Driving Force
Of the 75 zero-day vulnerabilities tracked, GTIG was able to attribute 34 to specific threat actors. Over half of these (18 vulnerabilities) were tied to espionage operations—either from nation-state groups or clients of commercial surveillance vendors (CSVs). Chinese-backed groups were linked to five exploits, focusing almost exclusively on security and network devices, while North Korean actors matched that number for the first time, combining espionage with financially motivated campaigns.
Meanwhile, forensic surveillance tools developed by vendors such as Cellebrite were linked to chains of zero-day exploits requiring physical access to mobile devices, reinforcing concerns around the misuse of commercial spyware technologies.
Financial Motivation Still Present
Although espionage operations dominate attribution, financially driven actors also played a notable role. Groups such as the suspected FIN11 cluster were linked to multiple attacks on enterprise file transfer systems, using zero-days to conduct data theft and extortion.
A Call for Greater Vendor Vigilance
While some historically popular targets saw fewer attacks in 2024, the report emphasises that this is not necessarily a sign of safety. Rather, it may reflect the growing effectiveness of vendor mitigation strategies, and a redirection of attacker focus to areas with less robust defences.
'Attackers continue to exploit well-known classes of vulnerabilities—such as command injection, use-after-free, and cross-site scripting—highlighting the need for stronger coding standards and preventative practices,' GTIG said.
With enterprise vendors now more frequently in the crosshairs, Google urges all technology providers to evolve their security postures, especially those offering products that serve as central infrastructure within business environments.
The full report, including in-depth technical analysis and recommendations for defenders, is available on the Google Threat Intelligence blog. A companion webinar is scheduled for later this month, offering further insight into these findings.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Scoop
2 days ago
- Scoop
UNC6040 Hacks Salesforce Via Vishing And Malicious Data Loader Apps, Google Warns
Press Release – Google Threat Intelligence Group – GTIG According to Google, attackers impersonate IT support on live calls, directing users to approve unauthorised Data Loader apps via Salesforce's connected app interface. These apps, often disguised with innocuous names like My Ticket Portal, grant … A new Google Cloud Threat Intelligence report has revealed a sophisticated vishing campaign targeting Salesforce environments, enabling large-scale data theft and extortion. The operation, attributed to threat cluster UNC6040, leverages modified versions of Salesforce's Data Loader and malicious connected apps to compromise organisations—without exploiting any Salesforce vulnerabilities. According to Google, attackers impersonate IT support on live calls, directing users to approve unauthorised Data Loader apps via Salesforce's connected app interface. These apps, often disguised with innocuous names like 'My Ticket Portal,' grant direct access to sensitive CRM data. No legitimate Salesforce systems are compromised in the attacks, the bad actors exploit end-user trust to infiltrate other systems. Once initial access is secured, attackers use harvested credentials to move laterally into platforms such as Okta and Microsoft 365. In some cases, exfiltration went undetected for months before extortion attempts occurred—sometimes under the banner of groups like ShinyHunters. UNC6040's infrastructure included Okta phishing panels and commercial VPN services such as Mullvad. The group's techniques overlap with those seen in campaigns linked to 'The Com', a loosely affiliated cybercriminal collective. GTIG advises defenders to implement strict access controls, limit API privileges, and use Salesforce Shield for anomaly detection. IP-based restrictions and rigorous app allowlisting are also critical, given the threat actors' reliance on human manipulation rather than technical exploits. 'This campaign demonstrates how modern attackers exploit trust and routine admin functions to bypass even hardened cloud environments,' GTIG noted.
Scoop
2 days ago
- Scoop
UNC6040 Hacks Salesforce Via Vishing And Malicious Data Loader Apps, Google Warns
A new Google Cloud Threat Intelligence report has revealed a sophisticated vishing campaign targeting Salesforce environments, enabling large-scale data theft and extortion. The operation, attributed to threat cluster UNC6040, leverages modified versions of Salesforce's Data Loader and malicious connected apps to compromise organisations—without exploiting any Salesforce vulnerabilities. According to Google, attackers impersonate IT support on live calls, directing users to approve unauthorised Data Loader apps via Salesforce's connected app interface. These apps, often disguised with innocuous names like 'My Ticket Portal,' grant direct access to sensitive CRM data. No legitimate Salesforce systems are compromised in the attacks, the bad actors exploit end-user trust to infiltrate other systems. Once initial access is secured, attackers use harvested credentials to move laterally into platforms such as Okta and Microsoft 365. In some cases, exfiltration went undetected for months before extortion attempts occurred—sometimes under the banner of groups like ShinyHunters. UNC6040's infrastructure included Okta phishing panels and commercial VPN services such as Mullvad. The group's techniques overlap with those seen in campaigns linked to "The Com", a loosely affiliated cybercriminal collective. GTIG advises defenders to implement strict access controls, limit API privileges, and use Salesforce Shield for anomaly detection. IP-based restrictions and rigorous app allowlisting are also critical, given the threat actors' reliance on human manipulation rather than technical exploits. 'This campaign demonstrates how modern attackers exploit trust and routine admin functions to bypass even hardened cloud environments,' GTIG noted.
Techday NZ
3 days ago
- Techday NZ
Study finds 84% of severe cyber incidents use LOTL methods
Bitdefender has released new research analysing 700,000 cybersecurity incidents to better understand the use of so-called 'living off the land' techniques (LOTL) by cybercriminals. LOTL techniques involve attackers exploiting commonly used applications and utilities already present in target environments, making them particularly difficult to identify and prevent using conventional security measures. According to the data collected by Bitdefender Labs, 84 per cent of major security incidents – defined as those with high severity – involved the use of LOTL binaries. This figure was corroborated by managed detection and response (MDR) data, which indicated that 85 per cent of incidents employed LOTL methods. The research specifically highlights how attackers leverage widely used backend tools like PowerShell, a Microsoft Windows command-line shell and scripting language, and Netsh, a network configuration utility. The most frequently abused tool was found to be appearing in one-third of major attacks. Bitdefender's team of several hundred security researchers conducted this foundational study as part of the development of GravityZone Proactive Hardening and Attack Surface Reduction (PHASR) technology. The company is sharing these initial findings in advance of a more comprehensive report. "Attackers are demonstrably successful in evading traditional defences by expertly manipulating the very system utilities we trust and rely on daily – and threat actors operate with a confident assertion of undetectability. This stark reality demands a fundamental shift towards security solutions like Bitdefender's PHASR, which moves beyond blunt blocking to discern and neutralise malicious intent within these tools," the report stated. The use of well-known tools such as and was common among both administrators and attackers. Notably, prevalence among attackers was unexpected compared to its more typical use by administrators for network management, firewall configuration, and routing. Other tools often targeted by attackers include used to query and modify Windows registry entries; the Microsoft C# Compiler; and which loads and executes functions from DLL files, frequently facilitating DLL sideloading attacks. Some tools, such as and were found to be used often by threat actors but rarely by administrators, presenting an additional challenge for traditional security monitoring, which tends to focus on more familiar administration tools. The research also identified a subset of tools primarily used by developers, such as and that are less recognised by security monitoring systems focused only on administration binaries. Their legitimate use in development environments allows them to evade detection more easily. Analysis also revealed that PowerShell was not used solely by administrators. The study found that 96 per cent of organisations in the dataset legitimately utilise PowerShell, with activity detected on 73 per cent of endpoints. Many third-party applications were discovered invoking PowerShell code without any visible interface, blurring the distinction between routine and potentially malicious use. A similar pattern was found with an older management tool now largely superseded by PowerShell but still in use by third-party applications to gather system information, despite its planned deprecation by Microsoft. Geographical comparisons demonstrated varying patterns in tool usage. In the Asia-Pacific (APAC) region, PowerShell was present in only 53.3 per cent of organisations studied, contrasting with a rate of 97.3 per cent in the Europe-Middle East-Africa (EMEA) region. Conversely, use of was higher in APAC compared with other regions. The report noted the significance of such differences. It said, "This underscores the importance of nuanced understanding, as even tools appearing outdated or unused can be critical for specific functions and disabling them can cause unforeseen disruptions." The findings directly informed the design of Bitdefender's PHASR technology, which adopts a targeted, behaviour-based approach to endpoint security. Rather than indiscriminately blocking entire utilities, PHASR analyses the actions performed within tools like or and allows or blocks specific behaviours based on baseline use and known malicious patterns. The report detailed PHASR's methodology: the technology monitors typical user and application behaviour on each endpoint, comparing ongoing activity with patterns characteristic of cyberattacks. This allows for proactive blocking of suspicious actions without impeding legitimate business operations or requiring constant policy updates. Highlighting the threat posed by the use of trusted tools, the report quoted the leader of the BlackBasta ransomware group, known as 'gg': "If we use standard utilities, we won't be detected... We never drop tools on machines." Referring to this observation, the report stated, "The staggering 84 per cent prevalence of Living off the Land (LOTL) techniques in major attacks directly validates this adversary perspective." The assessment of the ongoing challenge provided by these techniques was summarised as, "Attackers are demonstrably successful in evading traditional defences by expertly manipulating the very system utilities we trust and rely on daily – and threat actors operate with a confident assertion of undetectability." "This stark reality demands a fundamental shift towards security solutions like Bitdefender's PHASR, which moves beyond blunt blocking to discern and neutralise malicious intent within these tools."
