Administrators only have a short window of 15 minutes to 10 hours after the notification of new zero-day vulnerabilities to provide their systems with security updates, a study shows.
Attackers are getting faster and faster when it comes to exploiting new zero-day vulnerabilities. That shows one Study by Palo Alto Networks, for which around 600 security incidents were analyzed. On average, it takes only 15 minutes after a new zero-day security vulnerability is reported for criminals to actively search the Internet for vulnerable systems. So have some of the most severe zero-day vulnerabilities of the past year, including ProxyShell and ProxyLogon, Log4Shell, as well as SonicWall and ADSelfService Plus from Zoho Corp's ManageEngine.
Zero-day vulnerabilities are scanned immediately
The security researchers write in their report that they could observe increased scanning activity for vulnerable systems whenever a new security vulnerability was reported - and that only 15 minutes later! This is what happened with the critical vulnerability in F5's Big-IP software, which was included in the steadily growing catalog of actively exploited vulnerabilities by the American Cybersecurity and Infrastructure Security Agency (CISA) back in May. After the error became known, the security researchers from Palo Alto observed 10 scans within the next 2.500 hours, which were specifically looking for affected systems.
The study also shows that phishing is still the most common gateway for hackers at 37 percent, but weaknesses in the software are also a serious risk and were responsible for the attackers' first access in 31 percent of cases. Brute force attacks, such as password spraying, came in at XNUMX percent, compromised credentials at XNUMX percent, insider and social engineering threats at XNUMX percent each, and abuse of trusted relationships or tools at XNUMX percent.
Unpatched Exchange servers as a backdoor
More than 87 percent of the vulnerabilities that hackers used to gain access to the compromised systems fell into one of six categories. In 55 percent of the cases where Palo Alto Networks was called for help, the Exchange Server ProxyShell bugs were responsible for the intrusions. The vulnerability was so widespread that several hacker groups, such as the Hive ransomware group, have specialized in these vulnerabilities - although Microsoft released patches in early 2021 that would have fixed the bugs in ProxyShell and ProxyLogon. Log4j accounted for only 14 percent of the cases examined by Palo Alto, followed by the failures at SonicWall at 13 percent, ProxyLogon at XNUMX percent, ManageEngine at XNUMX percent, and FortiNet at XNUMX percent. Other vulnerabilities accounted for the remaining XNUMX percent.
All included: Conti, LockBit, ALPHV, BlackCat, BlackMatter
Analysis of only those security incidents involving ransomware showed that 22 percent of the cases could be traced back to the Conti Group, followed by LockBit 2.0 with 14 percent. Other ransomware actors such as Hive, Dharma, PYSA, Phobos, ALPHV/BlackCat, REvil, and BlackMatter each accounted for less than 10 percent of the attacks.
In summary, the security researchers warn that less talented actors are becoming more and more active in the field of cybercrime. On the one hand, this could be attributed to the constantly growing number of Malware-as-a-Service offers on the dark web. On the other hand, the reports of high ransom sums after ransomware attacks also play a not insignificant role. This, combined with increasing economic pressures from a possible global recession, means that more and more criminals see their chance for big money. However, as the prosecution of such hacker gangs becomes more and more successful, the cases of business email compromises could also increase, as the authors of the study warn.
About 8com The 8com Cyber Defense Center effectively protects the digital infrastructures of 8coms customers from cyber attacks. It includes security information and event management (SIEM), vulnerability management and professional penetration tests. It also offers the setup and integration of an Information Security Management System (ISMS) including certification according to current standards. Awareness measures, security training and incident response management round off the offer.