Palo Alto Networks warns that cybercriminals are getting faster and faster, especially in exploiting newly discovered zero-day vulnerabilities.
In its 2022 report of 600 incident response cases, the company says that attackers typically start investigating how to exploit a vulnerability within 15 minutes of its disclosure.
Rapid exploitation of discovered vulnerabilities
Among the security vulnerabilities analyzed are those that have been talked about a lot in 2021, including Exchange ProxyShell and ProxyLogon servers, Apache Log4j alias Log4Shell persistent vulnerabilities, SonicWall and Zoho ManageEngine ADSelfService zero-day vulnerabilities, and more.
“Each time a new vulnerability is made public, our threat intelligence team oversees a wide-ranging scan of vulnerable systems,” the company said in its 2022 Incident Response Report.
There is also a critical F5 flaw in its Big-IP software that encourages attackers to quickly search the Internet for matching devices. Palo Alto Networks noted 2,500 vulnerability scans within 10 hours of deploying a signature for it. The US cybersecurity agency CISA added this vulnerability to its growing list of known exploited vulnerabilities last May.
Phishing and exploitation of end-to-end vulnerabilities
While phishing remains the primary method of accessing the network initially, in 37% of incident response cases analyzed, software vulnerabilities lag behind, accounting for 31% of cases.
This is followed by brute-force attacks against authentication data (such as password spraying), which account for 9% of attacks. Next come the less common attack categories, such as the use of already compromised authentication data (6%), insider threats (5%), social engineering (5%), abuse of relationships or tools of trust (4%).
More than 87% of the vulnerabilities identified as the source of initial access fall into one of six vulnerability categories.
Importance of Exchange security vulnerabilities
The most common initial access vulnerabilities were Exchange ProxyShell server vulnerabilities, in 55% of cases. Microsoft was quick to fix ProxyShell and its related flaws in ProxyLogon in early 2021, but these flaws have become a prime target for many cybercriminals, including the Hive ransomware group.
Log4j only accounts for 14% of Palo Alto’s cases. This is followed by vulnerabilities from SonicWall (7%), ProxyLogon (5%), Zoho ManageEngine (4%) and FortiNet (3%). Other vulnerabilities make up the remaining 13%.
Looking only at responses to ransomware incidents, the firm found that 22% came from the Conti gang, which was leaked this year, followed by LockBit 2.0 (14%). Other ransomware gangs account for less than 10% each: Hive, Dharma, PYSA, Phobos, ALPHV/BlackCat, REvil and BlackMatter.
An increase in the number of unskilled cybercriminals is expected
Palo Alto Networks also predicts an increase in attacks involving unskilled actors, driven both by the attractiveness of lucrative ransomware attacks, the ease of ransomware without encryption, and economic pressure worldwide.
Law enforcement success in tracking down cryptocurrency wallets used by cybercriminals, as well as the volatility of these virtual currencies, could lead to an increase in email compromise scams (BEC attacks). These attacks, dubbed BEC (Business Email Compromise), generated $43 billion in revenue for their operators. No less dangerous, these attacks are less known than ransomware attacks.