A new study by Ivanti and others found ransomware operators used a total of 344 unique vulns in attacks in 2022, an increase of 56 over the prior year. A full 76% of all vulnerabilities were from 2019 or older. The oldest vulnerabilities found were RCE bugs in *Oracle products from 2012.
Top Findings for 2022
- Kill chains impact more IT products: A complete MITRE ATT&CK now exists for 57 vulnerabilities associated with ransomware. Ransomware groups can use kill chains to exploit vulnerabilities that span 81 unique products.
- Scanners are not detecting all threats: Popular scanners do not detect 20 vulnerabilities associated with ransomware.
- Multiple software products are affected by open-source issues: Reusing open-source code in software products replicates vulnerabilities, such as the one found in Apache Log4i. For example, CVE-2021-45046, an Apache Log4j vulnerability, is present in 93 products from 16 vendors and is exploited by AvosLocker ransomware. Another Apache Log4j vulnerability, CVE-2021-45105, is present in 128 products from 11 vendors and is also exploited by AvosLocker ransomware.
- Old is still gold for ransomware operators: More than 76% of vulnerabilities still being exploited by ransomware were discovered between 2010 and 2019. In 2022, of the 56 vulnerabilities tied to ransomware, 20 were discovered between 2015 and 2019.
David Maynor, Senior Director of Threat Intelligence at Cybrary:
“As a person who has done both offense and defense security work I am not surprised by these statistics. There is a public perception these groups are Wizard level hackers but in reality they rely on organizational sprawl for attacks.
“Scanners have never detected all exploitable threats. It’s just not possible. One of the reasons is that vendors like Oracle have had a hostile relationship with external security companies since the beginning of this century. In fact, *Oracle’s CSO Mary Ann Davidson wrote a scathing blogpost in 2015 about how people who find vulnerabilities in Oracle’s products should not tell the company about it. The post has been removed but was covered by Wired here: https://www.wired.com/2015/08/oracle-deletes-csos-screed-hackers-report-bugs/
“CVSS scores do mask vulnerability severity or at least how companies use it for risk detection and mitigation. I have seen companies set SLAs on producing threat intel reports based solely on the CVSS score. Because the reports are generally generated by regurgitating versions of other people’s reports and not hands on testing, the Threat Intel manager won’t push back. This report from Ivanti highlights the typical misuse of Threat Intel since actual ransomware attacks are coming from old or lower risk attacks being chained together. CVSS is not designed to evaluate an exploits value to a actors kill chain. While the CVSS has been updated over the years it remains an example of early 2000s thinking being used to make threat intelligence and risk decisions in 2023.”
“This is why training a team to be able to do hands on research and testing in an org’s environment is extremely important. No scanner detects all the flaws, no vendor gets every patch right, so a layered defense being driven by a well-trained security team is the best way to de-risk your operations.”
Given that ransomware attacks have huge costs, I’d be looking at Mr. Maynor’s advice as well as reading this report and forming a game plan to make sure that old vulnerabilities don’t come back to haunt you.
Like this:
Like Loading...
Related
This entry was posted on February 21, 2023 at 4:48 pm and is filed under Commentary with tags Ivanti. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
76% of Ransomware Attacks Use Old Vulnerabilities
A new study by Ivanti and others found ransomware operators used a total of 344 unique vulns in attacks in 2022, an increase of 56 over the prior year. A full 76% of all vulnerabilities were from 2019 or older. The oldest vulnerabilities found were RCE bugs in *Oracle products from 2012.
Top Findings for 2022
David Maynor, Senior Director of Threat Intelligence at Cybrary:
“As a person who has done both offense and defense security work I am not surprised by these statistics. There is a public perception these groups are Wizard level hackers but in reality they rely on organizational sprawl for attacks.
“Scanners have never detected all exploitable threats. It’s just not possible. One of the reasons is that vendors like Oracle have had a hostile relationship with external security companies since the beginning of this century. In fact, *Oracle’s CSO Mary Ann Davidson wrote a scathing blogpost in 2015 about how people who find vulnerabilities in Oracle’s products should not tell the company about it. The post has been removed but was covered by Wired here: https://www.wired.com/2015/08/oracle-deletes-csos-screed-hackers-report-bugs/
“CVSS scores do mask vulnerability severity or at least how companies use it for risk detection and mitigation. I have seen companies set SLAs on producing threat intel reports based solely on the CVSS score. Because the reports are generally generated by regurgitating versions of other people’s reports and not hands on testing, the Threat Intel manager won’t push back. This report from Ivanti highlights the typical misuse of Threat Intel since actual ransomware attacks are coming from old or lower risk attacks being chained together. CVSS is not designed to evaluate an exploits value to a actors kill chain. While the CVSS has been updated over the years it remains an example of early 2000s thinking being used to make threat intelligence and risk decisions in 2023.”
“This is why training a team to be able to do hands on research and testing in an org’s environment is extremely important. No scanner detects all the flaws, no vendor gets every patch right, so a layered defense being driven by a well-trained security team is the best way to de-risk your operations.”
Given that ransomware attacks have huge costs, I’d be looking at Mr. Maynor’s advice as well as reading this report and forming a game plan to make sure that old vulnerabilities don’t come back to haunt you.
Share this:
Like this:
Related
This entry was posted on February 21, 2023 at 4:48 pm and is filed under Commentary with tags Ivanti. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.