This morning, the Qualys Threat Research Unit released its 2023 Threat Landscape Year in Review report.
In 2023, the Qualys Threat Research Unit (TRU) witnessed a critical trend in exploiting high-risk vulnerabilities. Its analysis reveals a startling insight into how quickly attackers capitalize on these vulnerabilities. The mean time to exploit vulnerabilities in 2023 stands at approximately 44 days (about one-and-a-half months). However, this average masks the urgency of the situation.
In numerous instances, exploitation occurred almost instantaneously with some vulnerabilities exploited on the very day they were published. This immediate action represents a shift in the modus operandi of attackers, highlighting their growing efficiency and the ever-decreasing window for response by defenders.
According to Qualys, a staggering 25 percent of vulnerabilities were exploited on the day of their publication. This statistic serves as a wake-up call for organizations to adopt a proactive stance toward patch management and threat intelligence. The data further show that 75 percent of vulnerabilities were exploited within 19 days (approximately three weeks) of publication. This timeline offers a crucial window for organizations to prioritize and address the most critical vulnerabilities.
Additional key findings include:
- Less than 1 percent of vulnerabilities contributed to the highest risk and were routinely exploited in the wild.
- 97 high-risk vulnerabilities, likely to be exploited, were not part of CISA Known Exploited Vulnerabilities (KEV) catalog.
- One-third of high-risk vulnerabilities impacted network devices and web applications.
- Exploitation of remote services, exploitation of public-facing applications, and exploitation for privilege escalation are the top three MITRE ATT&CK tactics.
According to the report:
"Of the 206 high-risk vulnerabilities we tracked, more than 50 percent of those were either leveraged by threat actors, ransomware, or malware to compromise systems.
- 115 exploited by named threat actors
- 20 exploited by ransomwares
- 15 exploited by malware and botnets
"The vulnerabilities identified span an extensive set of systems and applications, including, but not limited to, PaperCut NG, MOVEit Transfer, various Windows operating systems, Google Chrome, Atlassian Confluence, and Apache ActiveMQ. This breadth showcases that no application is beyond the reach of attackers, who are determined to exploit any vulnerability to compromise systems.
Notably, many of these vulnerabilities, such as those found in MOVEit Transfer, Windows SmartScreen, and Google Chrome, are exploitable remotely, obviating the need for physical access to the targeted system."
More from the report on the most active malware of 2023:
"In 2023, LockBit and Clop have been prominent in the ransomware arena. LockBit, using its advanced ransomware-as-a-service model, has targeted a range of organizations, including the IT and finance sectors. Notably, LockBit exploited vulnerabilities such as CVE-2023-27350 in PaperCut NG and CVE-2023-0699 in Google Chrome, allowing remote attackers to bypass authentication and exploit heap corruption.
"Clop, known for exploiting vulnerabilities, has conducted extensive attacks on large enterprises, notably in the finance, IT, and healthcare sectors. Clop's activities included exploiting CVE-2023-27350, CVE-2023-34362, CVE-2023-0669, and CVE-2023-35036. These vulnerabilities ranged from SQL injection in MOVEit Transfer, allowing database access, to a pre-authentication command injection in GoAnywhere MFT and bypassing authentication in PaperCut NG."
John Gallagher, Vice President of Viakoo Labs at Viakoo, added this commentary about the report:
"This is a critically important report; Qualys's Threat Research Unit has valuable and unique insight as to what the key threats are today, and how organizations are responding (or not) to them. Organizations need to keep in mind that the findings from Qualys are mainly focused on IT environments where agents can be deployed or where Qualys is integrated with an IoT security solution. IoT environments are likely to be worse in terms of mean time to exploitation and time to remediation.
The imperative from this report is for organizations to assess their strategies for threat mitigation and threat remediation. Threats are growing in volume and velocity, making automation critical in order for organizations to reduce their mean time to exploitation.
A 'defense in depth' or layered security approach is needed to address the 25% of vulnerabilities that are exploited on the day of their publication; most organizations lack automation to apply patches that fast, especially in IoT environments where patching may be more complex than for IT systems.
As always, best practices need to be followed in order to stop lateral movement and RCE across the organization. Ensure you have effective network segmentation that takes into account all devices and applications, have methods to automate patching and password rotations across fleets of devices, and look to extend zero trust to all network-connected systems."