Google has released new details[1] about four zero-day security vulnerabilities that were exploited in the wild earlier this year. Discovered by Google's Threat Analysis Group (TAG) and Project Zero researchers, the four zero-days were used as part of three targeted malware campaigns that exploited previously unknown flaws in Google Chrome, Internet Explorer, and WebKit, the browser engine used by Apple's Safari.
Google's researchers also noted that 2021 has been a particularly active year for in-the-wild zero-day attacks. So far this year, 33 zero-day exploits used in attacks have been publicly disclosed — 11 more than the total number from 2020.
Google attributes some of the uptick in zero-days to greater detection and disclosure efforts, but said the rise is also due to the proliferation of commercial vendors selling access to zero-day vulnerabilities as compared to the early 2010s.
"0-day capabilities used to be only the tools of select nation states who had the technical expertise to find 0-day vulnerabilities, develop them into exploits, and then strategically operationalize their use," Google said in a blog post[2]. "In the mid-to-late 2010s, more private companies have joined the marketplace selling these 0-day capabilities. No longer do groups need to have the technical expertise, now they just need resources. Three of the four 0-days that TAG has discovered in 2021 fall into this category: developed by commercial providers and sold to and used by government-backed actors."
As for the zero-days discovered by Google, the exploits include CVE-2021-1879[3] in Safari, CVE-2021-21166[4] and CVE-2021-30551[5] in Chrome, and CVE-2021-33742[6] in Internet Explorer.
With the Safari zero-day campaign, hackers used LinkedIn Messaging to target government officials from western European countries, sending malicious links that directed targets to attacker controlled domains. If the target clicked on the link from