Google has published the 2021 review of Project Zero, revealing a record amount of zero-days exploits exhibited by some of the world’s largest technology companies.
Project Zero says they spotted 58 zero-day vulnerabilities being exploited in the wild last year — the most-ever recorded since the team started analyzing vulnerabilities in mid-2014.
That’s more than double the earlier record of 28 zero-day exploits detected in 2015, with bad actors still using the same techniques six years later, using the same bug patterns and exploitation techniques and going after the same attack surfaces.
“With this record number of in-the-wild zero-days to analyze we saw that attacker methodology hasn’t actually had to change much from previous years,” wrote Google security researcher Maddie Stone.
Google said the report highlights the importance of the security industry to take an aggressive approach to making it harder for attackers to exploit zero-day vulnerabilities.
“We heard over and over and over about how governments were targeting journalists, minoritized populations, politicians, human rights defenders, and even security researchers around the world,” researchers wrote. “The decisions we make in the security and tech communities can have real impacts on society and our fellow humans’ lives.”
And while Project Zero tracked a record number of exploited zero-day bugs in 2021, there are “key targets” missing from the list, the blog post reads.
“For example, we know that messaging applications like WhatsApp, Signal, Telegram, etc are targets of interest to attackers and yet there’s only one messaging app, in this case iMessage, zero-day found this past year,” the report explains.
Project Zero is an initiative started by Google in 2014 aimed at detailing security defects known as zero-day exploits, vulnerabilities that essentially remain undetected unless a mitigation system has been implemented, thus leaving systems, databases, and more completely exposed to hackers.
Check out the entire in-depth year in review over at Project Zero’s blog.