China Exploits Zero-Day Vulnerabilities

Chinese Hackers and Others Increasingly Favor Unpatched Vulnerabilities

According to security researchers, last year was another bonanza in zero-days for Chinese state hackers. They’re also predicting a permanent uptick in nation-state exploitation of yet-unpatched vulnerabilities. Data taken from original research by cybersecurity firm Mandiant and open-source reporting suggests zero-day exploitation fluctuates from year to year but is generally trending upward.

A report from the Google-owned threat intelligence company says 55 zero-days exploits were detected during 2022. That’s less than the 81 known zero-days spotted the year before but also a 200% increase compared to 2020.

Products from Microsoft, Google and Apple accounted for the majority of zero-days in 2022, and the most exploited product types were operating systems, followed by web browsers, security, IT, and network management products and mobile operating systems.

Chinese state-sponsored groups were responsible for over half of the zero-days whose exploitation researchers could attribute. Chinese campaigns were notable for the involvement of “multiple groups, expansive targeting, and focus on enterprise networking and security devices.”

Mandiant says Chinese nation-state hackers used fewer zero-day exploits in 2022 than the year before, but Beijing’s growing capacity for identifying and exploiting unpatched vulnerabilities has caught the attention of multiple Western security researchers. CrowdStrike recently said Beijing is “up-leveling” its capabilities, while Microsoft has warned about possible stockpiling of zero-days by Beijing. Both firms trace China’s wealth of zero-days to a vulnerability disclosure requirement that took effect Sept. 1, 2021, as part of a larger Data Security Law tightening regulations around the processing of Chinese data.

Exploitation by more than one Chinese state hacking group of a particular zero-day, such as the belatedly patched Follina bug in Microsoft Office, suggests that Chinese state-hacking groups obtain tools from a centralized quartermaster, Mandiant says.

If you have questions about IT security and the changing threat landscape, call ITPAC today.