Vulnerability Exploitation: 3 Trends from Our Biannual Review
November 2023 by ReliaQuest
From April 1 to September 30, 2023, over 14,000 new vulnerabilities were disclosed. Even monthly, the number of vulnerabilities disclosed is daunting to a cyber-threat defender, but if you also factor in the number of technologies in a given environment, and the time it takes to test and apply updates....let’s be realistic: Fixing every vulnerability as it arises isn’t possible.
ReliaQuest recommends a healthy blend of vulnerability intelligence and vulnerability management to defend against cyber attacks. The latter involves figuring out what assets you possess, and determining which vulnerabilities pose the biggest risk.
We continuously monitor vulnerabilities to gauge their potential risk, based on factors like impact, likelihood of exploitation, and the nature of exposure. A small but significant subset of the 14,000 vulnerabilities that came to light in Q2 and Q3 2023 have been exploited in the wild—133 of them.
A screenshot of a computer Description automatically generated
By excluding the nearly half of exploited vulnerabilities that were zero days (41%), we get an even smaller subset that’s worth exploring. Zero-days are unpredictable. But if we examine trends we observed involving the non-zero-days - how fast, easy, and likely it is for exploitation to occur - we can actually make predictions that point the way to clear patching priorities.
Exploitation Timeframe (How Fast?)
Our non-zero-day vulnerabilities were typically exploited within 24.5 days of being disclosed, on average. In fact, 41% were exploited within a week and 55% within two weeks, which means that more than half took less than the average time to exploit. The rest of the subset were exploited within about a month or more, and some took over three months (which explains why the average time to exploit was 24.5 days rather than, say, 14).
Patch Work: Maintain Asset Inventories
Clearly, cybersecurity teams need to stay on top of patching the right exploits, with so many being exploited so quickly. (And let’s not forget that almost half of all vulnerabilities disclosed in Q2 and Q3 2023 were zero-days.) Rather than waste valuable time identifying vulnerable assets in emergency patch situations, set up a robust vulnerability management process in advance. That includes maintaining an up-to-date asset inventory, which, at a minimum, includes:
• Operating systems
• Software version numbers
• Primary role of asset
• Network address and location
• Asset owner
Exploitability (How Easy?)
The base score of the Common Vulnerability Scoring System (CVSS) should be an important factor when prioritizing updates. The average CVSS base score of our exploited-vulnerability subset was 8. This is logical, considering that a higher CVSS score signifies greater exploitability (and impact) potential. But the score alone doesn’t paint the whole picture.
Here are the exploitability factors that influence the CVSS base score: attack vector, attack complexity, privileges required, user interaction, and scope. If we analyze those new vulnerabilities exploited in the wild during Q2 and Q3 in terms of those metrics, we can see what risky qualities lie behind those high CVSS scores:
Focus your patching efforts on vulnerabilities that have a higher likelihood of being targeted (and start with those being actively exploited). Based on the risk factors that make up the CVSS base score, and ReliaQuest analysis of the past six months, these should include:
• Technologies that are often internet facing, typically configured with elevated privileges, or store sensitive data
• Vulnerabilities that exhibit low complexity, remotely exploitability, and no required authentication.
• Technologies that are in widespread use globally, in addition to those which are more niche but have a relatively large presence; these are likely to be desirable targets for threat actors (more on this below)
Mass Exploitation (How Likely?)
Ransomware is the biggest threat facing organizations in 2023. Some ransomware operators focus mainly on exploiting vulnerable internet-facing devices to gain access to a target environment. These attacks are often opportunistic, depending on which networks they can gain access to. See where we’re going with this?
When new vulnerabilities crop up in technologies that are often public facing, and have a relatively large presence in organizations around the world, cyber-threat actors often jump at the opportunity. Some well-resourced threat groups even purchase or develop their own zero-day exploits.
It’s not just ransomware operators taking advantage. State-sponsored threat groups are also known to adopt publicly available exploits into their arsenals, to support operations against current targets, or gain access to new ones that could benefit their objectives.
A few examples include CVEs found in PaperCut (CVE-2023-27350) and Citrix (CVE-2023-3519) products, as well as one found in the MOVEit Transfer software (CVE-2023-34362), all of which were exploited in Q2 and Q3 2023. Each of these products are often public facing, and exploitation granted unauthenticated users access to the company environment.
In many cases, exploitation continued well after updates for the flawed versions were released. The bottom line? As long as vulnerable devices are still out there, attackers will continue to exploit them.
Patch Work: Strengthen Networks
Much like defenders, threat actors are monitoring the vulnerability threat landscape, scanning for opportunities to gain initial access or exploit weaknesses once they are already in a network. When it comes to zero-days and rapidly exploited vulnerabilities, organizations can’t always be ahead of the curve. But they can strengthen defenses.
Aim for a robust security posture by:
• Securing edge devices: Regularly monitor public-facing systems and disable any unnecessary services or device management interfaces. When possible, enforce access controls for edge devices, so that only connections from authorized sources are allowed.
• Segmenting networks: Create barriers that limit unnecessary communication between devices and shield critical applications. This can help contain threats following any exploitation and initial access.
• Enhancing visibility: Enable antivirus or Endpoint Detection and Response tools, which provide valuable detection capabilities. Increase logging on vulnerable devices, to broaden the scope of existing alerts and enable the detection of post-exploitation behavior.