In a new blog post, Flashpoint talks about the NVD slowdown and what organizations should be thinking about as they work to stay updated on all vulnerabilities.
Flashpoint released last week its annual Global Threat Intelligence Report that dug in depth on NVD as well. Here’s that section found on page 11:
Beyond CVE: Uncovering the Hidden Vulnerability Landscape
Organizations strictly relying on CVE are likely unaware of nearly a third of known vulnerability risk. Flashpoint has documented over 100,000 vulnerabilities that CVE has failed to report, many of which affect major vendors such as Google and Microsoft. Flashpoint’s non-CVE coverage has also identified a significant number of issues affecting numerous third-party libraries—in addition to zero-day and in-the-wild exploits that are being used by threat actors.
As of February 2024, Flashpoint analysts have cataloged 330 vulnerabilities that were discovered being exploited in the wild, that still do not have a CVE ID. These include vulnerabilities in:
Adobe Reader
Apple iOS
Apple macOS
Google Android
Microsoft SQL Server
Siemens SIMATIC
Solarwinds Orion Platform
As of February 2024, the following have been exploited in some form of malware, yet do not have a CVE ID:
Apache Hadoop
Google Authenticator for Android
PHP
Any vulnerability management team that feels underserved by their current coverage needs visibility into non-CVE issues—especially if they are leveraging legacy or end-of-life software. Having immediate access to actionable data empowers security teams to address issues, sometimes as fast as two weeks compared to CVE.
Information-stealing malware, known as ‘stealers,’ have evolved significantly from their origins as banking trojans. Today, these stealthy programs have become a tool of choice for cybercriminals, due to their lightweight nature and ability to scrape a wide range of sensitive data.
This topic is covered in a new blog post from Flashpoint. The blog covers:
The stealers’ evolution, their journey from the ZeuS trojan to today’s sophisticated versions.
How the simplicity, source code availability, and low costs that drive their use.
How their methods from initial infection to data exfiltration work.
How cybercriminals exploit stolen data, including selling credentials and unauthorized account access.
The Flashpoint analyst team has written a blog late yesterday about the ALPHV/Blackcat downfall and crackdown on the ransomware group. The blog post makes for interesting reading about one of the most notorious ransomware groups.
I wanted to highlight a blog post from Flashpoint’s Brian Martin announcing that the company has found/identified over 100,000 hidden vulnerabilities beyond what CVE reports.
What does missing vulnerability data mean for organizations?
Facing the unseen danger: Vulnerability management programs that heavily rely on CVE data are likely operating on less than 70 percent of known vulnerability risk.
The hidden threats in plain sight: VulnDB’s non-CVE ID collection includes zero-days and discovered-in-the-wild vulnerabilities. There are known instances of threat actors using them in recent cyberattacks.
A wake-up call for major vendors: Non-CVE vulnerabilities also affect major vendors such as Google, Microsoft, Adobe, Apple, and more. They also affect well-known third-party libraries—a market historically underserved by MITRE, which administers the CVE Program.
Specialized industries, specialized risks: For organizations in highly specialized industries like manufacturing, medical, and blockchain technology, VulnDB’s non-CVE collection is particularly beneficial.
Using VulnDB, triaging and prioritizing non-CVE vulnerabilities is made easier. Every vulnerability entry (whether non-CVE or CVE) is standardized, containing up to 60 distinct classifications based on the disclosure. It also captures public citation, exploit details, CVSSv2, and CVSSv3 scores.
The post covers off on the good, the bad and the challenging of AI including the White House’s recent Executive Order. Flashpoint talk about AI threats, AI as a force multiplier for low-level attacks, the top 5 most common AI brands used by threat actors, and the rise of custom-built malicious AI models such as WormGPT and FraudGPT.
Flashpoint digs into the activity from ransomware groups over the past 12 months. Regarding ransomware, Flashpoint found:
The most headline-grabbing cyber extortion event in the first half of 2023 was (and continues to be) the impact of the Clop ransomware group, which began exploiting the MOVEit zero-day vulnerability in May to gain illegal access to a wide range of victims.
As of August 9, the total number of victims—those posted on Clop’s ransomware blog combined with data from Flashpoint’s Cyber Risk Analytics (CRA) platform—totaled more than 650. This number includes companies that were directly attacked by Clop as well as third-party victims.
Regarding Vulnerabilities over the past 6 months:
14,201 new vulnerabilities were reported in H1 2023, and 2,189 of them were missed by the Common Vulnerabilities and Exposures (CVE) and National Vulnerability Database (NVD).
Over 36 percent of H1’s disclosed vulnerabilities have a working proof-of-concept or a known public exploit, giving low-level attackers an opportunity to compromise vulnerable systems.
Regarding Data Breaches over the past 6 months, Flashpoint found:
In H1 2023, Flashpoint analysts identified 2,893 data breach events, resulting in the loss of 5.94B records.
The highest number of breaches were recorded in the US.
Flashpoint’s H1 2023 report also digs into Malware IOCs and Insider Threats.
Flashpoint has released its H1 Cyber Threat Intelligence Index. Here are just a few of the points in the report:
Flashpoint digs into the activity from ransomware groups over the past 12 months. Regarding ransomware, Flashpoint found:
The most headline-grabbing cyber extortion event in the first half of 2023 was (and continues to be) the impact of the Clop ransomware group, which began exploiting the MOVEit zero-day vulnerability in May to gain illegal access to a wide range of victims.
As of August 9, the total number of victims—those posted on Clop’s ransomware blog combined with data from Flashpoint’s Cyber Risk Analytics (CRA) platform—totaled more than 650. This number includes companies that were directly attacked by Clop as well as third-party victims.
Regarding Vulnerabilities over the past 6 months:
14,201 new vulnerabilities were reported in H1 2023, and 2,189 of them were missed by the Common Vulnerabilities and Exposures (CVE) and National Vulnerability Database (NVD).
Over 36 percent of H1’s disclosed vulnerabilities have a working proof-of-concept or a known public exploit, giving low-level attackers an opportunity to compromise vulnerable systems.
Regarding Data Breaches over the past 6 months, Flashpoint found:
In H1 2023, Flashpoint analysts identified 2,893 data breach events, resulting in the loss of 5.94B records.
The highest number of breaches were recorded in the US.
Flashpoint’s H1 2023 report also digs into Malware IOCs and Insider Threats.
Flashpoint Publishes A Blog Post About NVD Slowdown
Posted in Commentary with tags Flashpoint on April 3, 2024 by itnerdIn a new blog post, Flashpoint talks about the NVD slowdown and what organizations should be thinking about as they work to stay updated on all vulnerabilities.
Flashpoint released last week its annual Global Threat Intelligence Report that dug in depth on NVD as well. Here’s that section found on page 11:
Beyond CVE: Uncovering the Hidden Vulnerability Landscape
Organizations strictly relying on CVE are likely unaware of nearly a third of known vulnerability risk. Flashpoint has documented over 100,000 vulnerabilities that CVE has failed to report, many of which affect major vendors such as Google and Microsoft. Flashpoint’s non-CVE coverage has also identified a significant number of issues affecting numerous third-party libraries—in addition to zero-day and in-the-wild exploits that are being used by threat actors.
As of February 2024, Flashpoint analysts have cataloged 330 vulnerabilities that were discovered being exploited in the wild, that still do not have a CVE ID. These include vulnerabilities in:
As of February 2024, the following have been exploited in some form of malware, yet do not have a CVE ID:
Any vulnerability management team that feels underserved by their current coverage needs visibility into non-CVE issues—especially if they are leveraging legacy or end-of-life software. Having immediate access to actionable data empowers security teams to address issues, sometimes as fast as two weeks compared to CVE.
You can read the blog post here.
Leave a comment »