Time from vulnerability disclosures to exploits is shrinking
Palo Alto Networks Unit 42 incident response team warns of patch speedups
Palo Alto Networks' annual Unit 42 incident response report is out, warning of an ever-decreasing gap between vulnerability disclosures and an increase in cybercrime.
"The 2022 Attack Surface Management Threat Report found that attackers typically start scanning for vulnerabilities within 15 minutes of a CVE being announced," the vendor says.
It adds: "Palo Alto Networks released a Threat Prevention signature for the F5 BIG-IP Authentication Bypass Vulnerability (CVE-2022-1388), and within just 10 hours, the signature triggered 2,552 times due to vulnerability scanning and active exploitation attempts."
Approximately 36 percent of the 600 incident response cases studied in Unit 42's report were ransomware, while 34 percent of attackers chose business email compromise, where the scammers target legit addresses and then use their access to start redirecting funds and issuing invoices and the like.
As for how attackers get into enterprise systems, most of the intrusions were put down to our old friend phishing, the exploitation of known vulnerabilities or brute force credential attacks (primarily focused on remote desktop protocol, according to the report.)
In terms of actual payments, the median reduction for finance was 52 percent, while the healthcare sector got an 85 percent reduction. Those miscreants are all heart, right?
It makes for grim reading. In terms of compromise, phishing remained top dog and made up 37 percent of the means of initial access, closely followed by known software vulnerabilities. Worryingly, 20 percent was accounted for by previously compromised credentials, insider threats, social engineering and abuse of trusted tools.
For vulnerabilities, ProxyShell occupied more than half of exploits, although Log4j bugs continue to wreak havoc at 14 percent, despite a concerted effort by the industry to patch the problems.
Looking at ransomware in particular, the report found that it was vulnerabilities that occupied almost half of the mean of initial access, followed by brute force credential attacks and phishing. Unit 42 reported seeing demands as high as $30 million and clients paying over $8 million.
The highest median demands in the case data were made in the finance sector, according to Unit 42, with $7.96 million being the average, followed by real estate at $5.2 million. In terms of actual payments, the median reduction for finance was 52 percent, while the healthcare sector got an 85 percent reduction. Those miscreants are all heart, right? (no, they are actually criminals.)
Ransomware continues to be a cash-cow for criminals. "Our security consultants say that clients most often learn about ransomware attacks the hard way – when they receive a ransom note," said the researchers.
- Near-undetectable malware linked to Russia's Cozy Bear
- FabricScape: Microsoft warns of vuln in Service Fabric
- Unpatched Exchange server, stolen RDP logins... How miscreants get BlackCat ransomware on your network
- Weak data protection helped China attack US Federal Reserve, report says
As for where things are going, researchers predict that the time to patch will continue to shrink and the skills necessary to carry out an attack will reduce. The latter, according to researchers, will result in "a rise in, to put it bluntly, threat actors who don't seem to know what they’re doing." How do you deal with a gang unable to even work a messaging platform?
Still, even novices can do serious damage, and a further prediction is that challenging economic times might result in more people having a go at cybercrime. Finally, there remains the issue of cryptocurrency (and changes in its stability) being a factor along with the possibility of a rise in politically motivated incidents.
As for what businesses can do, the recommendation is the usual training of users in spotting phishing attacks that have made it past the filters and disabling any direct external RDP access in favour of something funnelled through an enterprise-grade MFA-VPN. MFA should be implemented regardless, and anything exposed to the internet requires patching as quickly as testing permits.
As Unit 42 consulting director Dan O'Day puts it in the report: "Remember to protect yourself against the hackers – not just the auditors." ®