A new joint study from several leading cybersecurity firms has found that cyber criminals are spending most of their time going for low-hanging fruit: old vulnerabilities that organizations have just not got around to patching. 76% of ransomware attacks in 2022 were tied to a known vulnerability that was made public between 2010 and 2019, and vulnerabilities that were discovered as far back as 2015 are still commonly exploited.
The study has a number of other interesting findings that should prompt organizations to immediately get on top of their patching of old vulnerabilities, not the least of which is that advanced persistent threat (APT) groups are showing increased interest in the ransomware game. Over a dozen started implementing ransomware attacks into their mix of activities in 2022, a 51% increase from 2020.
Ransomware attacks shifting to the easiest possible targets
The study illustrates what a challenge patching has become for many organizations, as old vulnerabilities pile up due primarily to a lack of IT staff and assorted legacy system issues. The study finds 56 vulnerabilities tied to ransomware attacks in 2022, with 20 of these being issues published between 2015 and 2019. The oldest exploited vulnerability in the group was discovered in 2010.
However, not all of this is owed to lax effort by IT departments (or unmanageable workloads). The study also finds that popular malware scanners do not pick up 20 of these vulnerabilities. Additionally, 131 known old vulnerabilities associated with ransomware attacks have yet to be added to the CISA Known Exploited Vulnerabilities (KEVs) catalog. Common Vulnerability Scoring System (CVSS) ratings also do not necessarily reflect the seriousness of vulnerabilities or the likelihood of seeing them deployed in ransomware attacks; the study finds 57 with either low or medium score levels that are known to be targeted by the bigger ransomware gangs.
There is also the issue of “upstream” attacks becoming a bigger focus for ransomware groups. This has been perfectly illustrated by the Log4J issue. The study finds 93 software products from 16 vendors that have Log4J vulnerabilities that are targeted by the AvosLocker ransomware. There are also now complete MITRE ATT&CKs for 57 vulnerabilities associated with ransomware, with “kill chains” available that exploit old vulnerabilities in 81 different software products.
Finally, there is the issue of APT groups showing a greater interest in ransomware attacks. 33 deployed ransomware in 2020; that number is up to 50 in 2022. Four of these groups engaged in ransomware attacks for the first time ever in this year.
The report also finds some regional differences in the attack surface and presence of old vulnerabilities in the US. The Midwestern and Southern states fared the worst overall, with the most exploitable exposures overall and the largest number of Remote Code Execution and Privilege Escalation (RCE/PE) exploits. Home to numerous government agencies and defense contractors, the Northeastern states fared fairly well overall but did have the greatest number of high-risk services and were close to the top in CISA KEV exposures.
Patching efforts struggle to keep up with old vulnerabilities
The report notes that it has never recorded a quarter in which vulnerabilities tied to ransomware attacks did not increase in quantity. But while keeping up on top of new vulnerabilities is critical, noticing the revival of old vulnerabilities can be just as crucial. When ransomware gangs dig up old vulnerabilities and deploy them, the new risk can fly below the radar as they are not assessed with new CVSS scores. One example cited is the 2013 IBM InfoSphere BigInsights flaw CVE-2013-3993, which was given a score of only 3.5 during the CVSS2 period and has no CVSS3 score. Both the Locky and Petya ransomware groups have been targeting this vulnerability since mid-2022.
The researchers also note that a common “workflow” of sorts is emerging among these groups: find unpatched old vulnerabilities, establish access and find a copy of the target’s cyber insurance policy, and then demand something close to the maximum amount that they are covered for. If the target pleads poverty, they are sent a copy of the policy with the coverage amount highlighted.
These methods are also not just the work of newcomers, or inexperienced criminals. Experienced ransomware groups are intentionally seeking out old vulnerabilities that can be deployed broadly, particularly those that exist across multiple software products and/or are known to not be addressed with updates. The experienced ransomware gangs are savvy, and are well aware that organizations that struggle with IT workload prioritize new vulnerabilities and those with high CVSS scores.
David Maynor, Senior Director of Threat Intelligence with Cybrary, comments that these criminals are well aware of all types of organizational dysfunction and intentionally seek out vulnerabilities that it predictably creates: “As a person who has done both offense and defense security work I am not surprised by these statistics. There is a public perception these groups are Wizard level hackers but in reality they rely on organizational sprawl for attacks. Scanners have never detected all exploitable threats. It’s just not possible. One of the reasons is that vendors like Oracle have had a hostile relationship with external security companies since the beginning of this century. In fact, Oracle’s CSO Mary Ann Davidson wrote a scathing blogpost in 2015 about how people who find vulnerabilities in Oracle’s products should not tell the company about it. The post has been removed but was covered by Wired here.”
“CVSS scores do mask vulnerability severity or at least how companies use it for risk detection and mitigation. I have seen companies set SLAs on producing threat intel reports based solely on the CVSS score. Because the reports are generally generated by regurgitating versions of other people’s reports and not hands on testing, the Threat Intel manager won’t push back. This report from Ivanti highlights the typical misuse of Threat Intel since actual ransomware attacks are coming from old or lower risk attacks being chained together. CVSS is not designed to evaluate an exploits value to a actors kill chain. While the CVSS has been updated over the years it remains an example of early 2000s thinking being used to make threat intelligence and risk decisions in 2023. This is why training a team to be able to do hands on research and testing in an org’s environment is extremely important. No scanner detects all the flaws, no vendor gets every patch right, so a layered defense being driven by a well-trained security team is the best way to de-risk your operations,” noted Maynor
