Content, Content

Ransomware Crews Aggressively Capitalizing on Old, Open Source Vulnerabilities, Study Finds

Cyber Security, Phishing, E-Mail, Network Security, Computer Hacker, Cloud Computing

In the last quarter of 2022 alone, aggressive ransomware groups exploited 21 of 180 vulnerabilities already known to be associated with digital hijacking, a joint report issued by cybersecurity providers Cyber Security Works (CSW), Ivanti, Cyware and Securin found.

56 Vulnerabilities, 344 Threats Identified

The report, entitled 2023 Spotlight Report: Ransomware Through the Lens of Threat and Vulnerability Management, identified 56 new vulnerabilities associated with ransomware threats among a total of 344 threats identified in 2022, for a 19% increase year-over-year.

Overall, more than 76% of vulnerabilities currently exploited by ransomware operatives were first found more than three years ago, the study said. Of those 56 vulnerabilities, 20 were first discovered between 2015 and 2019.

Commenting on the survey, Aaron Sandeen, chief executive and co-founder of CSW and Securin, said:

“Our survey findings indicate that knowledge has not translated to power for many organizations. IT and security teams are being tripped up by open-source, old, and low-scoring vulnerabilities associated with ransomware. IT and security teams will want to scrutinize both in-house and vendor software to identify and remediate vulnerabilities before deploying new solutions and patch existing software as soon as vulnerabilities are announced.”

Kills Chains, Scanners, APT Groups and More

Here are the study’s top findings for 2022:

  • Kill chains impact more IT products. A complete MITRE ATT&CK now exists for 57 vulnerabilities associated with ransomware. Ransomware groups can use kill chains to exploit vulnerabilities that span 81 unique products.
  • Scanners are not detecting all threats. Popular scanners do not detect 20 vulnerabilities associated with ransomware.
  • More APT groups are launching ransomware attacks. CSW observed more than 50 Advanced Persistent Threat (APT) groups deploying ransomware to launch attacks — a 51% increase from 33 in 2020. Four APT groups: DEV-023, DEV-0504, DEV-0832, and DEV-0950, were newly associated with ransomware in Q4 2022 and mounted crippling attacks.
  • Many vulnerabilities have not yet been added to CISA’s KEV list. While the CISA Known Exploited Vulnerabilities (KEVs) catalog contains 8661 vulnerabilities, 131 of the vulnerabilities associated with ransomware are yet to be added.
  • Multiple software products are affected by open-source issues. Reusing open-source code in software products replicates vulnerabilities, such as the one found in Apache Log4i. For example, CVE-2021-45046, an Apache Log4j vulnerability, is present in 93 products from 16 vendors and is exploited by AvosLocker ransomware. Another Apache Log4j vulnerability, CVE-2021-45105, is present in 128 products from 11 vendors and is also exploited by AvosLocker ransomware.
  • Software weaknesses persist across releases. More than 80 Common Weakness Enumeration (CWE) flaws contribute to vulnerabilities that are being exploited by attackers. With a 54% increase from 2021 to 2022, this finding highlights the need for software vendors and application developers to evaluate software code before it is released.
  • Old is still gold for ransomware operators. More than 76% of vulnerabilities still being exploited by ransomware were discovered between 2010 and 2019. In 2022, of the 56 vulnerabilities tied to ransomware, 20 were discovered between 2015 and 2019.
  • Common Vulnerability Scoring System (CVSS) scores may mask risks. The study found 57 ransomware-associated vulnerabilities with low and medium-sized scores that are associated with infamous ransomware families and can wreak havoc on an organization and disrupt business continuity.

Offering advice for cyber pros, Anuj Goel, Cyware co-founder and chief executive, said:

“IT and security teams must continuously remediate key exposures to significantly reduce their organizations’ attack surface and achieve resilience against adversaries. Our report provides compelling insights that teams can use to focus their efforts, beginning with older and open-source vulnerabilities that attackers are continuing to exploit.”

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.