As evidenced by Palo Alto Networks’ newly released Unit 42 Incident Response Report, Version 2022, hackers have been closely monitoring software vendors’ bulletin boards for the latest CVE vulnerability reports and will begin scanning for vulnerable endpoints in as little as 15 minutes. This means that system administrators are taking far less time to fix disclosed security vulnerabilities than previously predicted.
Speculation on Initial Access Methods for Vulnerability Exploits
As Palo Alto Networks mentioned in a featured blog post, system administrators will have to be on their toes as threat actors race to exploit vulnerabilities before they are patched.
To make matters worse, because vulnerability scanning does not require a high level of skill, lower-level attackers can easily sift through vulnerable endpoints on the Internet and sell valuable findings on the dark web market for profit.
"In CVE-2022-1388, for example, Unit 42 notes that this is a remote command execution vulnerability that severely affects F5 BIG-IP products and is unauthenticated. The vulnerability was disclosed on May 4, 2022, but ten hours after the CVE bulletin was published, they had logged 2552 endpoint scans and exploit attempts."
Second, the report notes that “ProxyShell” was the most touched vulnerability chain in the first half of 2022 (specifically CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207), accounting for 55 percent of the total exploit incidents.
Log4Shell followed with 14 percent, various SonicWall CVEs accounted for 7 percent, ProxyLogon for 5 percent, and a remote code execution (RCE) vulnerability in Zoho ManageEngine ADSelfService Plus for 3 percent.
Vulnerability Exploitation Ranking
Statistics show that flaws that are semi-old (as opposed to up-to-date) are most likely to be exploited by attackers. This happens for a number of reasons, including but not limited to the size of the attack surface, the complexity of the exploit, and the practical impact it can have.
With this in mind, Palo Alto Networks recommends that administrators deploy security updates as soon as possible to better prevent systems from becoming victims of vulnerability exploitation in the early stages of zero-day / CVE bulletin releases.
"In addition, Unit 42 reports that the method of exploiting software vulnerabilities for initial cyber disruption accounts for only about 1/3 of cases. Phishing remains the preferred option for many attackers in 37 percent of cases. In another 15 percent of cases, hackers also use compromised credentials, or brute force cracking to break into networks. And social engineering tricks against privileged employees, or bribing rogue insiders, also account for about 10% of all breach attack response incidents."
Given the considerable pressure already on systems/network/security management professionals, the report recommends that organizations keep devices as far away from the Internet as possible.
In addition to limiting access to servers through virtual private networks (or other secure gateways) to reduce risk, non-essential public ports and services must be blocked as much as possible.
Finally, it is better to get into the habit of diligently deploying security updates. Although the rapid deployment of critical updates will result in some time of business interruption, it is better than facing a situation that is difficult to remedy after a full-scale cyber attack.
