Contents
Introduction
The exploitation of software and hardware vulnerabilities, as well as web applications, has been one of the three most popular methods of attacks on organizations for the past five years. According to our data, in 2023, the share of successful attacks involving vulnerability exploitation was 32%, which is 14 p.p. higher than in 2019.
The number of vulnerabilities is also steadily increasing, while the time it takes attackers to develop exploits for discovered vulnerabilities is decreasing. According to Mandiant analysts, the average time to exploit a vulnerability after its disclosure has decreased from 63 days in 2018-2019 to 32 days in 2021-2022.
The frequent use of attack vectors involving vulnerability exploitation, the constant growth in the number of discovered vulnerabilities, and the reduction in time to exploit should spur information security teams within organizations to work harder to detect, manage, and promptly eliminate vulnerabilities.
About the report
In this study, we share our statistics on vulnerabilities identified by PT SWARM (PT Security Weakness Advanced Research and Modeling) experts. It's worth noting that the nature of the research determines the type of vulnerabilities they identify: the experts focus on complex, critical vulnerabilities that could be used by malicious actors in real attacks on infrastructure and impact the victim's business processes.
In addition, this report also presents the results of analyzing dark web posts about vulnerabilities: we study the posts to estimate the time that elapses between a vulnerability being reported and proof of concept (PoC) exploits appearing and starting to be discussed on forums. We have also highlighted the most discussed vulnerabilitiesAt the time of the study..
The report addresses the main issues of working with vulnerabilities and provides recommendations for resolving them and minimizing negative consequences. Vulnerability severity was evaluated based on the Common Vulnerability Scoring System (CVSS v3.1), with each vulnerability assigned a rating of Low, Medium, High, or Critical.
Statistics on vulnerabilities discovered by PT SWARM experts
PT SWARM researchers manage to find vulnerabilities in various products ([1], [2]) and successfully interact with vendors regarding the remediation of these vulnerabilities. From 2022 to 2023, the security analysis experts identified 285 vulnerabilities (70% of which were of High and Critical severity levels) in the software and hardware of 84 vendors.
Distribution of detected vulnerabilities by OWASP Top 10 2021 categories
The experts focus on identifying the most impactful and dangerous vulnerabilities in software or hardware systems, which can be exploited by malicious actors in real attacks on target systems and significantly affect them.
Injection
Vulnerabilities related to code injection into user requests has become the most popular category (42%). These vulnerabilities allow malicious code to be injected into user requests to servers and executed. As a result, malicious actors can steal confidential data, attack users, and even take control of the server.
The majority of code injection vulnerabilities (42%) were the ones allowing cross-site Scripting (XSS). The most common types of cross-site scripting were storedStored XSS is an attack in which the malicious actor stores harmful code on the application's server. Each time a user accesses the infected page, the script is executed in the browser. and reflectedReflected XSS is an attack where the malicious actor must persuade the user to click a specially crafted link for the attack to succeed. XSS.
The share of vulnerabilities allowing remote code execution (RCE) was 21%. These vulnerabilities pose a serious threat: their exploitation can lead to full remote control over the system, deployment of malware, and even attacks on other systems.
Rounding out the top three is SQL injection (18%): vulnerabilities related to this type of attack allow malicious code to be inserted into database queries through input forms, which can lead to deletion, modification, or leakage of data, as well as execution of various actions on the database server.
Of all the vulnerabilities in this class, 26% are related to path traversal attacks, which allow attackers to manipulate URL parameters to access local files and directories not intended for access by the application's logic.
The share of vulnerabilities whose exploitation leads to disclosure of confidential data without appropriate rights is 14%; the obtained data can be used by attackers to conduct further attacks on the system or users.
In 13% of cases, access control failures were due to the presence of a vulnerability that enables a cross-site request forgery (CSRF) attack, where the application does not verify the legitimacy of a HTTP request sender. Using this vulnerability and a specially crafted script, an attacker can perform actions on behalf of an authorized user.
Identification and Authentication Failures
Identification and authentication failures rank third among the current threat categories from the OWASP Top 10 2021, constituting 10% of all identified vulnerabilities in 2022–2023. Weaknesses in identity verification, authentication, and session management mechanisms allow attackers to obtain identifiers in URL addresses, perform brute-force and credential stuffing attacks, intercept user sessions, and even gain full control over the system.
The researchers observed the use of hardcoded credentials in products from various vendors (34%). It's a serious vulnerability, easy to exploit and difficult to fix. Eliminating such weaknesses may require significant effort from the vendor and prompt delivery of updates to users. Lack of authentication for critical functions was noted in 31% of cases; this vulnerability allows attackers unauthorized access to critical system functionalities without appropriate legitimacy checks.
Vulnerabilities not included in the OWASP Top 10
Among vulnerabilities not included in the OWASP Top 10 2021, PT SWARM experts frequently identified improper restriction of write operations beyond the bounds of a memory buffer (58%), which can lead to arbitrary code injection and execution or denial of service (DoS). Uncontrolled resource consumption vulnerabilities (28%) can be exploited by attackers to overload and disable the target system.
Vulnerabilities on the dark web
During the study, we analyzed 217 Telegram channels and dark web forums, with a total of 12,270,258 users and 51,143,292 messages. We focused on messages for the years 2022 and 2023 containing references to various vulnerabilities (by their identifiers) in Russian, English and Chinese.
One significant result of the study is that we were able to calculate the time it takes for a vulnerability to be published on the dark web after its discovery. We paid special attention to criticalA critical vulnerability is a vulnerability in software or hardware that, when exploited, has a significant impact on the system and can lead to serious consequences, such as allowing an attacker to gain unauthorized access to the system, steal or modify confidential data, or disrupt or disable the system. vulnerabilities. Non-criticalA non-critical vulnerability is a vulnerability in software or hardware that, when exploited, has limited or minor impact and poses a relatively low level of potential harm. vulnerabilities also have the potential to cause damage, just like critical ones, so we considered both types. We believe these results will help businesses and vendors understand how quickly they need to respond to the detection of vulnerabilities and take measures to protect their systems from attacks.
After the publication of information about the discovered vulnerability, an experimental PoC exploit becomes available on average within six days for critically dangerous vulnerabilities and within a week for non-critical ones. After another five days or six days respectively, discussions begin on specialized dark web platforms: the longer the discussion, the higher the likelihood of developing exploits intended for use in real attacks to compromise target systems and spread malware. In the overwhelming majority of messages on the dark web (92%), attackers discuss public versions of PoC exploits, and in 8% of messages, there is a discussion about buying or selling exploits for real attacks.
Vulnerabilities with Critical or High severity are of greatest interest to attackers. As for attack vectors, vulnerabilities with networkNetwork vectors include vulnerabilities in network protocols, open ports, weak passwords, or a lack of security measures that allow attackers to penetrate the system via the Internet. attack vectors provoke more active discussion among malicious actors on the dark web: the share of messages mentioning them was 70%, while the share of messages about vulnerabilities used in localLocal vectors include vulnerabilities in the system itself, weaknesses in software, and a lack of system updates, which allow attackers to gain access to the system physically or using local resources. attack vectors was 30%.
Table 1. Most mentioned vulnerabilities on the dark web
|
No. |
Vulnerability identifier |
Severity level |
Vulnerable product |
Vulnerability type |
Number of mentions in messages |
|
1 |
CVE-2023-38831 |
High |
WinRAR |
Arbitrary code execution |
27 |
|
2 |
CVE-2022-40684 |
Critical |
FortiGate firewall, FortiProxy web proxy, FortiSwitch Manager |
Authentication Bypass |
24 |
|
3 |
CVE-2022-22965 |
Critical |
Spring Framework |
Arbitrary code execution |
21 |
|
4 |
CVE-2022-0847 |
High |
Linux |
Privilege escalation |
19 |
|
5 |
CVE-2022-30190 |
High |
Microsoft Windows Support Diagnostic Tool |
Arbitrary code execution |
19 |
|
6 |
CVE-2022-21661 |
High |
CMS WordPress |
SQL Injection |
17 |
|
7 |
CVE-2022-22954 |
Critical |
VMware Workspace ONE Access |
Arbitrary code execution |
17 |
|
8 |
CVE-2022-41040 |
High |
Microsoft Exchange |
Unintentional code execution or system security breach |
17 |
The consequences of delays in remediating vulnerabilities
Failure to promptly resolve vulnerabilities can have serious consequences for organizations. Below are examples of trending vulnerabilities from 2022–2023 and the consequences of their exploitation.
Table 2. Vulnerability exploitation consequences
|
Vulnerability identifier |
Severity level |
Vulnerable product |
Vulnerability type |
Consequences |
|
CVE-2023-34362 |
Critical |
Progress MOVEit Transfer |
SQL Injection |
The exploitation of this vulnerability compromised the confidential data of more than 2,700 organizations worldwide. There have been instances where lawsuits were filed against organizations that leaked data due to not addressing this vulnerability |
|
CVE-2022-30190 (Follina) |
High |
Microsoft Windows Support Diagnostic Tool |
Arbitrary code execution |
Ransomware groups have taken advantage of this vulnerability, leading to mass ransomware attacks. APT groups have also used this vulnerability in cyberespionage campaigns |
|
CVE-2022-27228 |
Critical |
Bitrix24 |
Arbitrary code execution |
In May 2023, a massive defacement of websites in the .ru and .рф domain zones occurred due to the CVE-2022-27228 vulnerability |
|
CVE-2021-21974 |
High |
VMware ESXi |
Remote code execution |
This unpatched vulnerability allowed ransomware groups to gain remote access to ESXi servers and deploy ransomware to lock data and demand a ransom |
|
CVE-2023-4966 |
Critical |
Citrix NetScaler ADC and NetScaler Gateway |
Confidential data disclosure |
Telecommunications company Xfinity announced that due to the exploitation of the CVE-2023-4966 vulnerability, data on 36 million customer accounts was stolen (including password hashes, secret questions and answers) |
Vulnerability management problems
In 2023, Positive Technologies analysts conducted a study on vulnerability management activities in organizations, identifying the main problems in dealing with vulnerabilities.
Incomplete asset categorization
Uncertainty in asset categorization increases the likelihood of missing critical systems that are vulnerable to attacks. To minimize risks, we recommend starting the vulnerability management process by assessing and categorizing assets in order to identify the most significant ones and prioritize their protection.
We suggest you start evaluating the assets by defining the events which are non-tolerable to the business. This will help to identify high-importance assets, such as target and key systems:
Target system is an information system, the operation of which can be disrupted to trigger a non-tolerable eventA non-tolerable event is an event that results from a cyberattack and prevents a company, industry, or government from achieving its operational and strategic goals, or causes prolonged disruption of core operations. for the business.
Key system is an information system which is essential for the success of an attack on the target system or significantly facilitates subsequent stages of an attack.
After conducting the assessment, ensure that all assets are classified. This is crucial to ensure that important information systems and other significant components of the organization's infrastructure are not missed.
Outdated asset information
The report data indicates that as many as 75% of the companies failed to update their asset information on time: nearly a third of all assets had outdated details. This situation poses a danger to organizations, as vulnerabilities in some assets may go unnoticed.
To ensure the security of the organization, vulnerability management must cover the entire IT infrastructure. We recommend conducting regular inventory checks to update asset information. Otherwise, there may be issues with detecting and addressing vulnerabilities in key systems, which could lead to a successful attack by malicious actors.
Errors in vulnerability prioritization
Management of vulnerabilities includes timely detection, analysis, and remediation. Analysis can reveal tens or even hundreds of thousands of different vulnerabilities. Solving such a volume of problems in a short time is a challenging task, so it's important to prioritize.
The research showed that 76% of companies ignored the importance of the asset on which the vulnerability was found. Most organizations did not consider the severity of the vulnerability, its trending status, or the presence of a public exploit. This increases the likelihood of missing the vulnerabilities that are the most threatening to the infrastructure.
We recommend paying attention to the popularity that the vulnerability has among attackers, that is, its trending status. Recently discovered vulnerabilities that have not yet been addressed with a security patch often become popular. That said, vulnerabilities from past years may start trending as well: according to Positive Technologies data, some of them remain relevant and widely exploited by attackers. These should be the first to get a fix, as malicious actors often use them in attack chains, and many have a public exploit.
When prioritizing vulnerabilities, the following factors should be considered:
- Importance of the asset where the vulnerability was detected. It's crucial to assess the potential negative consequences of its exploitation.
- Trending status of the vulnerability and the availability of a public exploit. If the vulnerability is being actively used in real attacks, it should be addressed as soon as possible.
- Asset accessibility and privileges required to exploit the vulnerability. This will help determine who can exploit the vulnerable system and whether an attack by an external attacker is possible.
- Severity level of the vulnerability according to the base CVSS score.
Inadequate remediation deadlines
Unfortunately, attackers don't wait weeks after vulnerabilities are disclosed; instead, they try to exploit them immediately before potential victims have applied security updates. According to a Qualys report, 25% of high-risk vulnerabilities were exploited by attackers on the day they were disclosed. This fact is a wake-up call for organizations and underscores the need to take measures to prevent attacks and analyze threats.
It's important to set the shortest possible deadlines for fixing vulnerabilities found in high-importance assets, especially if these vulnerabilities are trending or of High or Critical severity. For example, the FSTEC recommends remediating the worst vulnerabilities within 24 hours.
We also recommend paying increased attention to trending vulnerabilities identified at the network perimeter and fixing those first, as delay could lead to successful attacks on the organization.
Delayed fixes
Failure to adhere to established vulnerability remediation timelines allows attackers to exploit system weaknesses and successfully execute attacks. Our previous research showed that in every third company, the policies for vulnerability remediation were not followed as required by the organization. Around 30% of high-importance systems contained an average of seven overdue trending vulnerabilities.
We recommend allocating resources to fix vulnerabilities in a timely manner, and making this process regular and manageable.
Conclusion
To prevent exploitation of vulnerabilities and triggering of non-tolerable events, it's necessary to take proactive measures to protect individual services and the IT infrastructure as a whole. Based on our research findings, we recommend that organizations conduct regular asset inventory and categorization, considering their importance, risk, and trending vulnerabilities when prioritizing them. It's also important to conduct regular security analysis of systems and applications and monitor dark web activity to identify the most relevant threats. Establishing adequate vulnerability elimination time frames and monitoring the process are also crucial steps.
To implement these recommendations effectively, it's advisable to use vulnerability management (VM) systems. Specialized tools enable timely detection and mitigation of dangerous vulnerabilities both at the network perimeter and within the IT infrastructure—information about current vulnerabilities is delivered to today's VM systems within 12 hours. Monitoring the status of the target and key systems on a regular basis helps to prevent non-tolerable events directly associated with the exploitation of vulnerabilities in important assets.
Utilizing up-to-date systems that provide real-time information about high-risk vulnerabilities enables organizations to effectively comply with regulatory recommendations regarding remediation timelines. It's crucial that vulnerability management tools provide information about the most dangerous vulnerabilities as promptly as possible.
Get in touch
will contact you shortly