Unpatched, known vulnerabilities still key driver of cyberattacks
PUGUN SJ/Getty Images
Separate research reports find that vulnerabilities for which patches have already been issued remain hackers’ primary way into an organization.
Hackers are still exploiting known vulnerabilities for which patches have been made available but not installed, according to multiple research reports.
Vulnerabilities associated with Microsoft Exchange Server and some virtual private networks, many of which were first disclosed in 2017, continue to be a popular route for hackers to exploit, a report from exposure management company Tenable found.
Researchers said attackers continue to target these vulnerabilities because user organizations have failed to patch or successfully remediate them, even though the affected companies have released patches that were both highly publicized and widely available. Patches have been released for the most commonly exploited vulnerabilities—Log4Shell, Follina, ProxyShell and an Atlassian Confluence Server and Data Center flaw.
“Long-known vulnerabilities frequently cause more destruction than the shiny new ones,” Bob Huber, Tenable’s chief security officer and head of research, said in a statement. He added that hackers are still finding “success exploiting these overlooked vulnerabilities.”
Open exposures and unpatched Known Exploited Vulnerabilities are still unaddressed in many state government internet-facing systems, especially those in the southern United States, according to a recent report by cybersecurity companies Cyber Security Works (CSW), Ivanti, Cyware and Securin.
Criminals’ reuse of known vulnerabilities is also discussed by researchers at CrowdStrike, who said that patching must be a “priority,” especially as attackers look to exploit those weaknesses with “greater sophistication.” CrowdStrike said there are two ways hackers pursue these exploitations.
“The actors can modify—or even reapply—the same exploit to target other similarly vulnerable products,” the report said. “Alternatively, the discovery process can identify a potential target and encourage actors to focus on these known vulnerable components, as well as circumvent patching by exploring other exploit vectors.”
While those known vulnerabilities continue to be exploited by hackers, CrowdStrike also found a 20% increase in hackers carrying out data theft and extortion campaigns—without using ransomware. Rather than encrypting a victim’s data, the attackers focus on leaking or selling that data.
CrowdStrike said these instances of data extortion—where criminals steal and threaten to publish information as leverage for ransom payments—take advantage of what Adam Meyers, the company’s head of intelligence, described as “multi factor fatigue” and phishing to steal credentials and quickly infiltrate an organization.
“There isn't a lot of technical sophistication there,” Meyers said. “They're living off the land. They're using the tools that are present on all the operating systems.”
Organizations have become wiser to the dangers of ransomware and have moved to mitigate it, including through robust backups and a “playbook” that relies on frustrating hackers through delaying tactics. This “grind them down” strategy is designed to induce a mistake that law enforcement can then take advantage of to stop the attack and find the hackers.
Meyers said hackers now treat data extortion like a real-world “express kidnapping,” where criminals send body parts “piece by piece” to the victim’s family, in the hope of a fast payment. Hackers’ slow leaking of data in an extortion follows a similar pattern, he said.
Ransomware has staying power, though. Tenable’s report acknowledged the rise of extortion-only operations but noted that the number of ransomware attacks as a whole has stayed relatively consistent, even as organizations and governments increasingly refuse to pay those ransoms.
While the “novelty of ransomware attacks has worn off,” they “still remain prominent,” Tenable said. Extortion attacks may seem “less sophisticated,” the company said, but organizations “cannot afford to ignore” them and must strengthen their security practices among employees as well as at the enterprise level with regular software updates and patches.