Enterprise Security In The Crosshairs: Google Reveals Key Zero-Day Exploitation Trends For 2024

The Google Threat Intelligence Group (GTIG) has released its latest annual analysis of zero-day vulnerabilities, revealing a shift in cybercriminal focus toward enterprise technologies, while overall zero-day exploitation remains on an upward trend.

In its report “Hello 0-Days, My Old Friend: A 2024 Zero-Day Exploitation Analysis,” GTIG tracked 75 zero-day vulnerabilities that were exploited in the wild last year. While that figure marks a decrease from 98 in 2023, it remains higher than the 63 vulnerabilities recorded in 2022—continuing a four-year trend of gradual growth.

A zero-day is defined as a software vulnerability that is exploited before the affected vendor has released a patch. These flaws are highly sought after by both nation-state actors and financially motivated cybercriminals due to the stealth and system access they can provide.

Enterprise Tech in the Firing Line

In a notable shift, 2024 saw a significant increase in zero-day exploitation targeting enterprise-focused technologies. These include security software, network appliances, and business infrastructure tools. GTIG found that 44% of all tracked zero-days in 2024 targeted enterprise technologies—up from 37% in 2023.

“Security and networking products are emerging as prime targets because of the far-reaching access they offer,” the report states. Twenty of the 33 enterprise-focused vulnerabilities identified in 2024 were in these categories, including widely used platforms from Ivanti, Palo Alto Networks, and Cisco.

While the absolute number of exploited enterprise vulnerabilities dropped slightly from the previous year, the proportional increase signals a deeper trend: attackers are prioritising systems that offer expansive access and limited monitoring, particularly where endpoint detection tools may not be effective.

Browsers and Mobiles See Decline

In contrast, the report observed a marked decrease in zero-day exploitation of browsers and mobile devices—down by about one-third and one-half respectively. Exploitation of the Chrome browser remained most common among end-user platforms, with Android devices continuing to be compromised via flaws in third-party components.

Microsoft Windows saw a continued rise in exploitation, with 22 zero-days tracked in 2024, compared to 16 in 2023 and 13 in 2022. GTIG anticipates that Windows will remain a persistent target due to its dominance across home and professional environments.

Espionage Remains a Driving Force

Of the 75 zero-day vulnerabilities tracked, GTIG was able to attribute 34 to specific threat actors. Over half of these (18 vulnerabilities) were tied to espionage operations—either from nation-state groups or clients of commercial surveillance vendors (CSVs). Chinese-backed groups were linked to five exploits, focusing almost exclusively on security and network devices, while North Korean actors matched that number for the first time, combining espionage with financially motivated campaigns.

Meanwhile, forensic surveillance tools developed by vendors such as Cellebrite were linked to chains of zero-day exploits requiring physical access to mobile devices, reinforcing concerns around the misuse of commercial spyware technologies.

Financial Motivation Still Present

Although espionage operations dominate attribution, financially driven actors also played a notable role. Groups such as the suspected FIN11 cluster were linked to multiple attacks on enterprise file transfer systems, using zero-days to conduct data theft and extortion.

A Call for Greater Vendor Vigilance

While some historically popular targets saw fewer attacks in 2024, the report emphasises that this is not necessarily a sign of safety. Rather, it may reflect the growing effectiveness of vendor mitigation strategies, and a redirection of attacker focus to areas with less robust defences.

“Attackers continue to exploit well-known classes of vulnerabilities—such as command injection, use-after-free, and cross-site scripting—highlighting the need for stronger coding standards and preventative practices,” GTIG said.

With enterprise vendors now more frequently in the crosshairs, Google urges all technology providers to evolve their security postures, especially those offering products that serve as central infrastructure within business environments.

The full report, including in-depth technical analysis and recommendations for defenders, is available on the Google Threat Intelligence blog. A companion webinar is scheduled for later this month, offering further insight into these findings.

© Scoop Media