For five years running, vulnerability exploitation has ranked among the top three most popular attack methods on organisations, according to the study done by Positive Technologies[1].
In 2022–2023, attackers stole confidential data from over 2,700 companies worldwide, exploiting just one vulnerability. This study presents the results of analysing dark web discussions and statistics on vulnerabilities, along with issues and solutions in organisational vulnerability management.
“Over the past three years, vulnerability exploitation has increasingly attracted cybercriminals, accounting for about one-third of all successful cyberattacks: it accounted for 18% in 2019, and 32% in 2023. On average, an experimental PoC exploit appears within six days of a critical vulnerability disclosure. This PoC, often a code fragment, command list, or program, can be used to attack a vulnerable system. In as few as five days, discussions surrounding this PoC begin on dark web forums, and with them the likelihood of ready-to-use exploits being developed to be used in mass attacks increases”, notes Fedor Chunizhekov, Head of Security Analytics at Positive Technologies.
Positive Technologies has analysed over 51 million messages across 217 dark web platforms. The most commonly mentioned vulnerabilities are those in WinRAR (CVE-2023-38831), Fortinet products (CVE-2022-40684), and the Java-based Spring Framework (CVE-2022-22965). The vulnerabilities in Linux (CVE-2022-0847) and the Microsoft Support Diagnostic Tool (CVE-2022-30190) have also been objects of hackers’ attention. Messages about remotely exploited vulnerabilities[2] constitute 70% of discussions among cybercriminals on the dark web.
Delaying vulnerability fixes can lead to serious issues for organisations. In May 2023, a mass defacement of websites in the .ru and .рф domains occurred due to the exploitation of the CVE-2022-27228 vulnerability in the 1C-Bitrix web development and content management system. By exploiting the CVE-2023-4966 vulnerability, criminals stole data on 36 million customer accounts from the telecommunications company Xfinity, including password hashes, passwords, and answers to security questions. Ransomware groups have used a flaw in the Microsoft Windows Support Diagnostic Tool (CVE-2022-30190, also known as Follina) to conduct mass ransomware attacks. APT groups have also exploited this vulnerability in their cyberespionage campaigns. Due to the exploitation of a critical vulnerability in Progress MOVEit Transfer (CVE-2023-34362), confidential data from over 2,700 organisations worldwide was compromised.
To prevent the exploitation of vulnerabilities and the occurrence of non-tolerable events, proactive measures must be taken to protect individual services and the entire IT infrastructure. Experts recommend that organisations regularly inventory and classify their assets; prioritise assets based on their importance, as well as the severity and frequency of vulnerabilities; conduct regular security analyses of systems and applications; and monitor the dark web to identify the latest threats. Setting realistic timelines for vulnerability remediation and closely monitoring the patching process are also crucial.
For this, we recommend using modern vulnerability management systems, such as MaxPatrol VM. Using specialised tools allows you to promptly detect and eliminate dangerous vulnerabilities both on the network perimeter and within the infrastructure, with information about current vulnerabilities being delivered to MaxPatrol VM within just 12 hours. Monitoring the status of the target systems and intermediary target systems on a regular basis helps to prevent non-tolerable events associated with the exploitation of vulnerabilities in important assets.
[1] “Consequences of untimely remediation of vulnerabilities (2022–2023)”
[2] These include network protocol vulnerabilities, open ports, weak passwords, or a lack of security measures. These vulnerabilities enable hackers to infiltrate systems via the internet.
Image Credit: Positive Technologies