DIscovered by Google’s Threat Analysis Group (TAG), the four vulnerabilities in Google Chrome, Internet Explorer, and WebKit, the browser engine used by Apple’s Safari, were used as a part of three different campaigns.
“We assess three of these exploits were developed by the same commercial surveillance company that sold these capabilities to two different government-backed actors,” share TAG members Maddie Stone and Clement Lecigne.
We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and you can also choose to enter the prize draw to win a $100 Amazon voucher or one of five 1-year ExpressVPN subscriptions.
In addition to breaking down the vulnerabilities, the researchers also note that there has been a definite increase in the number of attacks based on zero-day exploits.
So far this year there have been 33 publicly disclosed zero-day exploits used in attacks that have been publicly disclosed this year, share the researchers. To put it into perspective, a grand total of 22 were discovered in the whole of 2020.
However, the marked increase could just be a sign of vendors being more forthcoming about disclosing zero-day vulnerabilities and exploits in their products.
Interestingly, the researchers note that even a genuine increase in the number of zero-day exploits isn’t always a bad thing. They reason that it is the maturing of security products that can thwart most attempts to install malware on a victim’s computer, which is forcing threat actors to rely on zero-day vulnerabilities for conducting attacks.
They also note that until the last decade, only selection nation states had the technical expertise to detect and weaponize zero-day vulnerabilities.
However, leaning on the example of the four vulnerabilities discussed in their post, the researchers argue that these days a majority of the zero-days vulnerabilities are discovered and exploited by private players who then hawk them to state-sponsored actors for their malicious activities.