The State of 0-Day in-the-Wild Exploitation

0-day exploitation occurs when an attacker abuses a vulnerability that the defenders don't yet know about. This makes it very hard to protect against 0-day exploits and also makes 0-day vulnerabilities highly valuable. So how do we protect against the exploitation of unknown vulnerabilities? It starts with understanding everything we can about 0-day exploits.

Each time a 0-day exploit is detected in-the-wild, it's the failure case for attackers. Therefore as defenders, we should use these "failures" as an opportunity to learn as much as we can about the vulnerabilities targeted, the exploitation methods used, the techniques for discovering the vulnerabilities, and more. As a security and technical community, we can then use this data to prioritize what vulnerability research to undertake, gaps in our detection methods, exploit mitigations that will have the most return on mitigation, and overall, how to make it harder for attackers to exploit 0-days to harm users.

This talk synthesizes what we can learn from the 0-days that were exploited in-the-wild in 2020. For each of these 0-days, Project Zero performed a root cause analysis, which details the vulnerability exploited and the exploit methodology used. From these facts, we then developed ideas for better detections and systemic fixes, hypothesized on what methods the actors used to discover the vulnerability, and performed variant analysis. In this talk, we'll share what we've learned from these exploits used in 2020 and how to apply it in 2021 to make it that much harder.