Tax money finances attacks with Zerodays

The secret discovery and exploitation of zero-day vulnerabilities is predominantly financed by taxpayers' money. This is suggested by an annual analysis by the Google Threat Intelligence Group (GTIG), which attributes two thirds of all actively exploited 0days in 2024 to state actors.

Zeroday (also 0day) refers to particularly dangerous security vulnerabilities: they are exploited before the manufacturer of the attacked IT product even knows that it has a security problem. Accordingly, there are no updates to plug the hole. A second advantage for attackers is that they can often establish a long-term foothold with the victim.

Information about such loopholes is therefore worth a lot of money on the black market, which has resulted in an unsavory industry of 0day providers. They apparently live mainly from taxpayers' money and therefore have little fear of prosecution.

State suppliers, China, North Korea

In 2024, the GTIG tracked down 75 actively exploited zerodays. Although this is fewer than the 98 in 2023, it is more than the average for the five years 2019 to 2023 (63.6). The trend therefore remains upwards. Google's experts were able to identify the organizations behind 34 of the 75 0days with a high degree of probability. This is according to the annual report published on Tuesday.

It says that ten of the 34 were used directly for state espionage, half of them by the People's Republic of China. Russia, South Korea and three other secret services of unknown or unnamed provenance complete the ten. In addition, there are five more 0days that were used by North Korea, where the motive of robbery is to be classified at least on a par with espionage targets.

The GTIG was able to trace a further eight Zerodays back to commercial providers who, by their admission, sell exclusively to governments. This makes a total of 23 Zerodays, i.e., more than two thirds of the 34 whose operators the GTIG has tracked down. It also mentions two cases of Russian perpetrators who are not state-owned and have become criminals out of greed, but who also engage in espionage activities. Such perpetrators can generally carry out their activities from Russia unmolested as long as they do not attack domestic targets. The GTIG assigns only five of the 34 assigned 0days to non-state criminals with financial motives, the remaining four to other perpetrators.

Ivanti & Co

42, or just over half of the successful 0day attacks investigated in 2024, targeted ICT products used by consumers daily, in particular Microsoft Windows. However, successful 0days are catching up against common applications used by larger businesses, with entry points particularly in networks and, ironically, security software, specifically Ivanti Cloud Services Appliance, Palo Alto Networks PAN-OS, Cisco Adaptive Security Appliance and Ivanti Connect Secure VPN.

Skilled attackers can even combine several 0days for one attack. In fact, this effort is used almost exclusively for attacks on iOS and Android. The GTIG interprets this as proof that these operating systems are particularly difficult to crack.

There were only two successful 0day attacks on iOS (after nine in 2023) and seven on Android, as before. However, five of these were achieved through third-party software installed on the respective Android devices, not through direct attacks on the operating system itself. There is also good news for Apple users regarding browsers: After eleven 0days in 2023, the GTIG identified only three for Safari in 2024.

(ds)