Many users operating in the cyberspace are unaware of the curse of vulnerabilities. Being the initiating point of many cyber-attacks, vulnerabilities demand much more attention. These are the glitches in software and systems, often exploited by cyber criminals to enter an endpoint or system.
Did you know: There were 17,220 new vulnerabilities reported in 2019, it’s a 3.8 percent increase from 2018.
With technological products increasing rapidly, the total vulnerability count is also going up each year. However, this curse of vulnerability is not a hopeless dilemma, for security researchers discover and report multiple vulnerabilities in multiple products every day. Moreover, to mitigate the risk of intrusion from a vulnerability, affected vendors keep updating their products with latest security patches to fix the glitches. All an end user has to do is to keep all software updated to latest/recommended versions.
Each vulnerability comes with a severity score, labelled as Low, Medium, High or Critical severity. This year, there’s a slight increase in medium severity vulnerabilities, whereas high severity vulnerabilities slightly go down.
Last year, medium-severity vulnerabilities accounted for 34% of all, which is gone up to 40% this year. What does this mean?
When a High severity vulnerability is reported, security teams are likely to focus their energies on it more while neglecting medium severity vulnerabilities for longer periods of time. However, the severity scale only determines the possible impacts of a single vulnerability in isolation. It does not include the risk or exposure an organization faces due to a vulnerability. Therefore, it is possible that a neglected medium severity vulnerability is a bigger risk for an organization, compared to a high severity vulnerability. Due to this factor of neglect, attackers are more attracted towards medium severity vulnerabilities. Hence, incorporating the factors of risk and exposure in vulnerability management become necessary.
While sometimes software updates are meant to enhance UX, UI and features of a product, mostly software updates bring forth an upgraded version of the product after patching all known security risks and glitches reported by security researchers. Therefore, updating products to their latest versions is highly advised. Sometimes, when a patch is not available, other workarounds are provided to reduce the risk of exploitation of a vulnerability.
There are many different types of vulnerabilities based on their impacts if they are exploited. Some of them lead to unauthorized access due to failed authentication, some lead to buffer overflow, some glitches allow remote code execution, others may result in SQL injection. Likewise, some flaws may be that a product fails to carryout input validation, may allow security bypass or path traversal, and may as well enable cross-site scripting or forgery.
These vulnerabilities have been exploited in cyberattacks for decades. However, Imperva finds that there have been significant changes in web attack and traffic trends as a result of COVID-19. The attack types recorded in the second quarter of 2020 depict a shift of cyberattacks from Backdoors/Trojans to exploitation of vulnerabilities. The chart below shows that 27% of recent cyberattacks were Remote Code Execution attacks, followed by 18% path traversal attacks.
Looking at the attack types, most cyberattacks are exploiting vulnerabilities. Below is a breakdown of top vulnerabilities exploited in these cyberattacks.
Some major products of technology are used worldwide and are therefore most available for the cyber criminals to exploit. Examples may include web browsers, Microsoft and Google products, etc. In the past few months, many vulnerabilities in different products have been exploited in cyberattacks. Given below are the ones most exploited throughout the globe.
BlueKeep was first reported by Microsoft in May 2019 as a critical security vulnerability, followed by DejaBlue, months later. The vulnerabilities exist in the Remote Desktop Protocol (RDP), allowing Remote Code Execution (RCE). Massive scanning for vulnerable devices was seen right after their exposure. Metasploit had released a BlueKeep exploit in September and by November the first exploit had been reported. With remote work enabled, RDP vulnerabilities now become even more targeted.
Oracle WebLogic Servers houses various critical Remote Code Execution vulnerabilities, affecting numerous applications and web enterprise portals using the servers. Cyber criminals are exploiting these to deliver the Sodinokibi and Satan ransomware as well as to install Monero Cryptomining malware.
This RCE vulnerability in MTA software Exim is exploited by sending crafted packets to the victim’s server, due to insufficient validation in the recipient’s email address. Significant number of exploitation attempts in the wild have been observed this year, deploying cryptominers.
Did you know: More than 80% of the vulnerabilities exploited in the past year were registered 3-4 years ago.
Check Point global attack sensors revealed that around 85% of the exploited vulnerabilities were registered in or before 2017. This means that users are not patching vulnerabilities on time and older vulnerabilities still remain to be a threat.
Just like other products, numerous vulnerabilities in the web browsers lead to potential cyber-attacks. It’s interesting to note that Chrome maintains two key positions; the most popular web browser, as well as the most vulnerable web browser. Given below are the charts for web browsers depicting popularity and vulnerability.
Did you know: Vulnerabilities in Chrome now account for 38 percent of all browser vulnerabilities, up from 32 percent in 2018. (See Chart Below)
Exploitation of older vulnerabilities shows that many users and organizations still do not have vulnerability management as a part of their cybersecurity structure. Patching all vulnerabilities on time can dramatically reduce the exposed attack surface for an organization. Moreover, it is also very important to prioritize the vulnerabilities that pose a greater risk for an organization. However, IBM X-Force Red brings a bad news here. Their autonomous team of veteran hackers finds an average 1,440 unique vulnerabilities per organization.
If security teams go the extra mile to find out which new vulnerabilities have public PoCs before they are exploited in the wild, they may understand better which vulnerabilities are a bigger risk for the organization.
Moreover, another rising concern about leaving the vulnerabilities unpatched is that exploit kits have made a return in 2020. Exploit kits are malicious toolkits to attack vulnerabilities in systems so they can distribute malware or perform other malicious activities. These are prepared by cyber criminals and sold to other threat actors, giving vulnerabilities the extra mileage to be used in a cyberattack.
For more blogs, malware and APT analyses, visit our Threat Intelligence blog.