Thanks to the emergence of significant flaws in widely deployed products such as the MOVEit Transfer, Barracuda ESG, Atlassian Confluence, and others, the past year has seen a nearly 200 percent increase in the usage of vulnerability exploits as the initial access vector for data breaches around the world, according to statistical analysis of more than 10,000 breaches.
The significant spike in vulnerability exploitation as an entry point is tied to the use of several zero days and other vulnerabilities by ransomware groups and other cybercrime organizations last year. The MOVEit Transfer flaw (CVE-2023-34362) was a favorite target of several ransomware groups, notably Cl0p, and other actors targeted significant vulnerabilities in Atlassian Confluence, the Barracuda ESG appliances, and Ivanti servers, as well. The Verizon 2024 Data Breach Investigations Report (DBIR), released today, shows that attackers not only target critical flaws in the days right after (or sometimes before) they’re disclosed, but continue to use them in the weeks and months to come.
“This 180% increase in the exploitation of vulnerabilities as the critical path action to initiate a breach will be of no surprise to anyone who has been following the MOVEit vulnerability and other zero-day exploits that were leveraged by Ransomware and Extortion-related threat actors,” the report says.
“This was the sort of result we were expecting in the 2023 DBIR when we analyzed the impact of the Log4j vulnerabilities. That anticipated worst case scenario discussed in the last report materialized this year with this lesser known—but widely deployed— product.”
The Verizon DBIR comprises data from Verizon’s own breach investigations as well as data contributed by dozens of partner organizations, including law enforcement agencies, security companies, platform providers, and incident response firms from around the world. This year’s report includes data on more than 10,000 confirmed breaches across a broad range of industries. The DBIR investigators identified 1,567 individual breaches directly connected to exploitation of the MOVEit Transfer flaw in organizations across industries. Though the report does not have data on when each breach occurred, a survival analysis of vulnerabilities in the Known Exploited Vulnerabilities catalog maintained by the Cybersecurity and Infrastructure Security Agency shows that patching of critical, known exploited bugs doesn’t really ramp up in most organizations until more than 30 days after the first disclosure.
“But before organizations start pointing at themselves saying, “It’s me, hi, I’m the problem,” we must remind ourselves that after following a sensible risk-based analysis, enterprise patch management cycles usually stabilize around 30 to 60 days as the viable target, with maybe a 15-day target for critical vulnerability patching. Sadly, this does not seem to keep pace with the growing speed of threat actor scanning and exploitation of vulnerabilities,” the report says.
“This is not enough to shake the risk off. As we pointed out in the 2023 DBIR, the infamous Log4j vulnerability had nearly a third (32%) of its scanning activity happening in the first 30 days of its disclosure. The industry was very efficient in mitigating and patching affected systems so the damage was minimized, but we cannot realistically expect an industrywide response of that magnitude for every single vulnerability that comes along, be it zero-day or not.”
“If we can’t patch the vulnerabilities faster, it seems like the only logical conclusion is to have fewer of them to patch."
Patch management on an enterprise-level scale is a constant task, not a monthly or even weekly one. Prioritization becomes paramount, and while organizations with mature security programs can rely on vulnerability management and patch management systems, many companies don’t have that luxury and face the daunting task of trying to decide where to allocate their scant resources in order to be the most effective.
“We must remind ourselves that these are companies with resources to at least hire a vulnerability management vendor. That tells us that they care about the risk and are taking measures to address it. The overall reality is much worse, and as more ransomware threat actors adopt zero-day and/or recent vulnerabilities, they will definitely fill the blank space in their notification websites with your organization’s name,” the report says.
“If we can’t patch the vulnerabilities faster, it seems like the only logical conclusion is to have fewer of them to patch. We realize this is the stuff of our wildest dreams, but at the very least, organizations should be holding their software vendors accountable for the security outcomes of their product, even if there is no regulatory pressure on those vendors to do better.”
Ransomware actors typically will use whatever tactic is most convenient at the time in order to gain access to an environment, and if that happens to be a new bug in a widely deployed application, then so be it.
“As we gaze into our crystal ball, we wouldn’t be surprised if we continue to see zero-day vulnerabilities being widely leveraged by ransomware groups. If their preference for file transfer platforms continues, this should serve as a caution for those vendors to check their code very closely for common vulnerabilities. Likewise, if your organization utilizes these kinds of platforms—or anything exposed to the internet, for that matter—keep a very close eye on the security patches those vendors release and prioritize their application,” the report says.