The usage of zero days by attackers is a fascinating thing to watch and analyze, but for the most part, adversaries tend to stick to the basics, targeting older, known vulnerabilities in widely deployed products that they know they can exploit with ease. In fact, most of the vulnerabilities that attackers routinely exploited last year were disclosed in 2021 or even many years earlier, a new analysis by United States cybersecurity agencies and their partners shows.
The report, released Thursday by the Cybersecurity Infrastructure and Security Agency (CISA), National Security Agency (NSA), and various foreign partner agencies, again highlights the importance of timely patching and the value of routine maintenance and security basics. The majority of the 12 most commonly exploited flaws in the report are in popular enterprise applications, including Microsoft Exchange, Fortinet SSL VPN, Atlassian Confluence, F5 BIG-IP, and VMware Workspace ONE Access. Finding vulnerable instances of those apps is a trivial task for an attacker with even a modicum of ambition, and in many cases there is proof-of-concept exploit code publicly available for these bugs, especially the older ones.
Many of the vulnerabilities in the list will come as no surprise to defenders: the Log4Shell flaw from 2021, the ProxyShell bugs in Exchange from 2021, and a Fortinet SSL VPN bug from 2018. All of these vulnerabilities were discussed extensively by researchers and the affected vendors and there are plenty of details available for attackers to pore over. All of them also affect widely deployed products, and in the case of Log4Shell, a massive downstream ecosystem of apps that included the vulnerable library.
“Malicious cyber actors generally have the most success exploiting known vulnerabilities within the first two years of public disclosure—the value of such vulnerabilities gradually decreases as software is patched or upgraded. Timely patching reduces the effectiveness of known, exploitable vulnerabilities, possibly decreasing the pace of malicious cyber actor operations and forcing pursuit of more costly and time-consuming methods (such as developing zero-day exploits or conducting software supply chain operations),” the report says.
For the most part, development and usage of exploits for zero days is the domain of high-level attack teams such as those inside foreign intelligence agencies and the military. Finding new, exploitable vulnerabilities and then developing reliable exploits for them is a time-consuming and costly endeavor. For most attackers, that process is likely beyond their technical expertise, too expensive, or both. Writing reliable exploits it’s an extremely difficult task, even for professionals, so they tend to focus on the types of vulnerabilities for which exploits are more reliable.
“Malicious cyber actors likely prioritize developing exploits for severe and globally prevalent CVEs."
“Just take a look at the CISA KEV database or the CISA/FBI most exploited CVEs list -- most of the issues listed are not memory corruption vulnerabilities. Instead, we commonly see logic issues like command injection, path traversal, and deserialization bugs, all of which typically have extremely high exploit reliability,” Ben Hawkes, the former leader of Google’s Project Zero research team, and owner of Isosceles Security, said in a post on exploit reliability Wednesday.
“I don't think it's a coincidence that the opportunistic attackers who are performing widespread, indiscriminate exploitation typically gravitate toward exploits with high exploit reliability: high-reliability exploits are easy to use exploits.”
And those reliable exploits tend to most useful when applied to widely deployed, easily discoverable apps.
“Malicious cyber actors likely prioritize developing exploits for severe and globally prevalent CVEs. While sophisticated actors also develop tools to exploit other vulnerabilities, developing exploits for critical, wide-spread, and publicly known vulnerabilities gives actors low-cost, high-impact tools they can use for several years. Additionally, cyber actors likely give higher priority to vulnerabilities that are more prevalent in their specific targets’ networks. Multiple CVE or CVE chains require the actor to send a malicious web request to the vulnerable device, which often includes unique signatures that can be detected through deep packet inspection,” the CISA report says.
For CISOs and enterprise defenders, the need to deploy available patches and upgrade as soon as possible is clear, but it’s not always a simple task. Taking mission-critical apps such as Exchange or a VPN offline for an extended period of time is always challenging and IT teams often have to plan those windows out far in advance. And keeping pace with the monthly patch releases from major vendors such as Microsoft, Adobe, and others can be nearly impossible, let alone staying current on updates from other vendors.
But the continued exploitation of known, older bugs shows how valuable patching can be.