Google’s Mandiant security team has raised concerns about a troubling new trend in cybersecurity: hackers are getting better at finding and exploiting software flaws known as zero-day vulnerabilities. These types of attacks pose a serious threat because they target weaknesses in software that companies are unaware of, leaving no immediate way to fix the problem.

According to Google, in 2023, out of 138 security flaws that were actively exploited, 97 (roughly 70%) were zero-day vulnerabilities. This means hackers used these flaws before the software creators even knew they existed, let alone had a chance to correct them.

What Are Zero-Days and N-Days?
A “zero-day” vulnerability is a software flaw that the developer or company didn’t know about when the attack happened—meaning they had “zero days” to fix it. In contrast, an “n-day” vulnerability refers to a flaw that the developer already knows about and has provided a fix or patch for. Even though there’s a patch available, attackers might still target systems that haven’t yet applied the update.

For example, imagine a window in a building that has a crack. A zero-day attack is like a burglar finding the crack and breaking in before the owner even realizes the window is damaged. An n-day attack would be like the burglar breaking in through the same window even though the owner has already fixed it, but some residents haven’t replaced the glass yet.

Shifting Trends in Cyberattacks
From 2020 to 2022, the ratio between these two types of flaws being exploited stayed relatively stable, with n-day vulnerabilities making up 40% of the attacks and zero-days making up 60%. However, in 2023, there was a shift: 70% of the attacks focused on zero-day flaws, with only 30% targeting known issues that had already been patched.

Google believes this shift isn’t because attackers are ignoring known flaws but rather because they’re focusing more on zero-days, and security teams are getting better at identifying these hidden threats.

More Companies Affected in 2023
Another concerning sign is the increase in the number of companies targeted by these vulnerabilities. In 2023, 56 different software vendors were impacted by actively exploited flaws—a record high, compared to 44 companies in 2022 and 48 in 2021. This shows that hackers are not just focusing on a few major players but are spreading their attacks across a wider range of software products.

Time to Exploit (TTE) Shrinks
One of the biggest challenges for companies trying to defend themselves is the shrinking “Time to Exploit” (TTE)—the time it takes hackers to start exploiting a vulnerability after it’s discovered or disclosed. In 2023, this time frame dropped to just five days on average.

To put this into perspective, in 2018-2019, it took about 63 days for hackers to exploit a vulnerability, giving companies plenty of time to apply security patches or take steps to protect their systems. Even in 2021-2022, the TTE was around 32 days. But now, with only five days to respond, organizations must move much faster to protect themselves.

Because of this, security strategies that worked in the past, like simply applying patches as they’re released, are no longer enough. Companies now need more advanced defenses, like real-time threat detection, network segmentation (isolating different parts of their systems), and prioritizing the most urgent security updates.

Public Disclosure Doesn’t Always Mean Immediate Attacks
Interestingly, Google points out that there isn’t a clear link between when a vulnerability is publicly disclosed and when hackers start exploiting it. In 2023, 75% of vulnerabilities were made public before hackers began using them, while 25% were disclosed after the attacks had already started.

For instance, a flaw in a WordPress plugin (CVE-2023-28121) was disclosed three months before hackers began exploiting it, even though a proof-of-concept (which shows how to exploit the flaw) had been shared 10 days prior. On the other hand, in the case of a vulnerability in Fortinet’s FortiOS software (CVE-2023-27997), public exploits appeared immediately, but the first actual attack occurred only four months later.

Why Some Flaws Are Exploited Faster Than Others
Several factors determine how quickly hackers act on a disclosed vulnerability. These factors include how difficult it is to exploit the flaw, the value of the target, the motivation of the hackers, and the complexity of the attack. As a result, just knowing when a flaw is disclosed doesn’t always predict when an attack will happen.

Google emphasizes that while sharing a proof-of-concept can increase the chances of exploitation, it’s not the only factor driving attacks. Each vulnerability and situation is different, and attackers take many factors into consideration before deciding to strike.

Conclusion
In light of these findings, it is crucial for users to ensure their applications and operating systems are updated immediately. Updates are no longer a luxury or something that can be postponed, especially given the growing trend of hackers targeting zero-day vulnerabilities as outlined in this report.

Ignoring updates puts users at greater risk, as attackers are getting faster at exploiting vulnerabilities, leaving little time for reaction. Staying up to date with patches can be the difference between security and compromise.

Additionally, practicing safe online habits is key to reducing exposure to cyber threats. Users should avoid clicking on suspicious links, downloading unknown attachments, and visiting untrustworthy websites. These simple yet effective practices, along with timely updates, can help protect systems from being exploited in this increasingly dangerous cybersecurity landscape.