Google Project Zero recorded 58 zero-day detections in 2021, while Mandiant Threat Intelligence identified 80 zero-day vulnerabilities exploited in the wild. Both numbers are more than double the previous maximum.

As state-sponsored groups continue to dominate zero-day exploitation, the proportion of financially-motivated actors, including ransomware groups, grew to one-third last year, Mandiant found.

The team also analyzed 12 vendors and found that zero-day vulnerabilities from Microsoft, Apple, and Google products accounted for 75% of all in those vendors, likely reflecting their popularity. 

“​​The vast increase in zero-day exploitation in 2021, as well as the diversification of actors using them, expands the risk portfolio for organizations in nearly every industry sector and geography, particularly those that rely on these popular systems,” the report wrote.

However, the Google Project Zero team argued that the large uptick in zero-day exploits isn’t simply because of the increased usage, it’s also due to the industry improvement in vulnerability detection and disclosure.

The researchers also noted that despite the record number, the attacker methodology hasn’t changed much from previous years, following the same bug patterns, attack surfaces, and exploit shapes. 

Among all the identified zero-days, 67% were memory corruption vulnerabilities, which became the software-attacking standard for the last few decades, the team added.

While there were indications of a slowed pace in the second half of 2021, zero-day exploitation is still expanding at an elevated rate, Mandiant’s report showed.

Researchers suggest organizations prioritize patching the vulnerabilities that are most likely to impact their environment or cause the most damage.

To further enhance zero-day detection and disclosure, the Project Zero team hopes to see the tech and security industries publicly disclose the in-the-wild exploitation status of vulnerabilities as an industry standard behavior, share more samples or detailed descriptions of the exploit techniques, and continue reducing memory corruption vulnerabilities or rendering them unexploitable.