A new study by Ivanti, Cyber Security Works (CSW), Cyware and Securin shows that, contrary to optimistic estimates, ransomware threats will not have lost any of their clout in 2022.
The study "2023 Spotlight Report: Ransomware from the perspective of threat and vulnerability management" makes it clear: Compared to the previous year, the number of vulnerabilities exploited by ransomware has increased by almost 1/5 (19%). Among the 344 new threats that security providers were able to identify in 2022, there are also 56 vulnerabilities that are directly related to ransomware. Threat actors draw from a pool of 180 vulnerabilities proven to be associated with ransomware. And in the last quarter of 2022 alone, they were actively exploiting 21 of those vulnerabilities.
Discovered between 2010 and 2019
Another number is even more serious: More than three quarters (76%) of the vulnerabilities used for data extortion in 2022 were already discovered between 2010 and 2019. Of the vulnerabilities newly exploited by ransomware last year, 20 were discovered between 2015 and 2019. So, threat actors are actively searching the deep and dark web for older vulnerabilities, assuming they are not a priority for more security teams.
Key Findings
- Kill chains affect more and more IT products: Ransomware groups use kill chains to exploit vulnerabilities affecting 81 products from vendors including Microsoft, Oracle, F5, VMWare, Atlassian, Apache and SonicWall. A complete MITER ATT&CK, i.e. a comprehensive description of the tactics and technologies used, is already available for 57 vulnerabilities associated with ransomware.
- Scanners have blind spots: Popular scanners like Nessus, Nexpose, and Qualys fail to detect 20 of the vulnerabilities associated with ransomware.
- More ransomware attacks by APT groups: CSW observed more than 50 Advanced Persistent Threat (APT) groups using ransomware for attacks - a 51% increase from 2020. Four APT groups (DEV-023, DEV-0504, DEV-0832 and DEV-0950 ) were first associated with ransomware in the fourth quarter of 2022.
- Vulnerability database has gaps: The KEV catalog (Known Exploited Vulnerabilities) of the US Cybersecurity and Infrastructure Security Agency (CISA) contains 866 vulnerabilities, but 131 of the vulnerabilities associated with ransomware are not yet listed.
- Open source problem with software products: Open source code reuse replicates vulnerabilities. The Apache Log4j vulnerability CVE-2021-45046 is present in 93 products from 16 vendors, another Apache Log4j vulnerability (CVE-2021-45105) is present in 128 products from 11 vendors. Both are exploited by the AvosLocker ransomware.
- Software vulnerabilities exist across versions: More than 80 Common Weakness Enumeration (CWE) bugs create vulnerabilities that attackers exploit. That's an increase of 54% compared to 2021. This result underscores the importance of software vendors and application developers evaluating software code before release.
- CVSS scores mask risks: 57 ransomware-associated vulnerabilities have only a low and medium CVSS score. In companies, however, they can still cause immense damage.
Prioritize and protect in the long term
Ransomware attackers are becoming faster and more sophisticated. With automated platforms that identify vulnerabilities and assess their risk, IT teams are able to prioritize the most important vulnerabilities based on their impact on assets and their criticality. "The report shows that many companies are not putting what they know about the threats into action," said Aaron Sandeen, CEO and co-founder of CSW and Securin. "It is fundamental to an organization's security that IT and security teams patch their software as soon as vulnerabilities are discovered."
Fix most critical vulnerabilities
"Ransomware is a critical issue for any organization, whether private or public sector," said Srinivas Mukkamala, chief product officer at Ivanti. “The burdens on companies, authorities and individuals are increasing rapidly. It is imperative that all companies truly understand their attack surface and equip their organization with layered security. Only in this way can they become resilient to the increasing number of attacks.” “IT and security teams must continuously fix the most critical vulnerabilities in order to significantly reduce their organizations' attack surface and increase their resilience against attackers,” says Anuj Goel, co-founder and CEO of Cyware. "Our report shows where there is a need for action, for example with older and open source vulnerabilities."
More at Ivanti.com
About Ivanti The strength of unified IT. Ivanti connects IT with security operations in the company in order to better control and secure the digital workplace. We identify IT assets on PCs, mobile devices, virtualized infrastructures or in the data center - regardless of whether they are hidden on-premise or in the cloud. Ivanti improves the provision of IT services and reduces risks in the company on the basis of specialist knowledge and automated processes. By using modern technologies in the warehouse and across the entire supply chain, Ivanti helps companies improve their ability to deliver - without changing the backend systems.