Exploit trends help reveal the areas that cybercriminals are actively investigating for potential attacks and what they’re currently targeting. New intelligence allows CISOs to prioritize risk mitigation and reduce the active attack surface with an expanded “Red Zone” approach.
Entering the Red Zone
When FortiGuard Labs researchers looked at data from the second half of 2022, they found that less than 1 percent of the total observed vulnerabilities discovered in an enterprise-size organization were on endpoints. Why is this important? It’s key to helping defenders narrow in on what’s actively under attack – in other words, the red zone of where they need to focus on the most.
Mapping CVEs reveals vulnerability “Red Zone” to help CISOs prioritize
Our analysis (PDF) found that the majority of CVEs were not found on endpoints, and even fewer of those that were found were also being exploited. The red zone is computed by comparing the open attack surface of endpoints (open CVEs) to the active attack surface (the CVEs attackers are exploiting.) The resulting Red Zone is 8.9% for the second half of 2022.
We would anticipate that attackers would prioritize CVEs based on their presence on endpoints. Instead, we observed a large number of CVEs that are prevalent on endpoints but rare among attacks. Why? Attackers choose their targets based on a variety of factors, but a multitude of exploitable CVEs doesn’t seem to be one of them.
Examining prevalent vulnerabilities
When examining the most prevalent vulnerabilities – we saw that Log4j continued to reign supreme. Log4j-based attacks overwhelmingly focused on the technology sector, irrespective of region. That’s mainly because Apache Log4j is such a popular open-source program. Many businesses might not even know that they have built their existing systems on top of a Log4j component, as it can be so deeply integrated into a variety of applications.
It’s used even in unexpected places, like Ghidra (a debugger), where it has been completely incorporated. Its wide use suggests its popularity won’t die off any time soon.
These old-timers like Log4J were joined by some newcomers – including those we’ve designated the “rookies of the half,” meaning vulnerabilities that have only recently been discovered but had high frequency among companies during the six-month period. The latest recipient of this designation is the Workspace One Access Catalog vulnerability in VMWare, which first came to light in mid-2022 during a server-side injection problem. It is a significant remote code execution vulnerability that was discovered in July 2022. The nodes that were seen using this flaw appear to be comparable to those of generic botnets.
Three of the top six “rookies of the half” were connected to Spring, the open-source Java framework. If the word “Spring” seems familiar, it’s because two zero-day vulnerabilities in the Spring framework were revealed in 2022. Although they aren’t very common, it’s a good idea to keep them in mind as we proceed in 2023.
Prioritizing patching
By providing CISOs with information on the active attack surface, these insights offer CISOs a clear view of the Red Zone and where to focus patching efforts. Of course, as soon as vulnerabilities are found, the majority of software providers offer patches. But those patches are useless if you don’t apply them. The most damaging malware attacks of the last 10 years have therefore focused on software flaws for which updates were easily accessible. CISOs and IT executives need to prioritize effective patch management and regularly upgrade or replace software.
The first step in defending against zero-day vulnerabilities is determining what needs to be secured. There will always be a mix of network- and endpoint-based detection and security measures. To provide total visibility across all areas and industries, both kinds of measures should incorporate the most recent security updates and threat data offered by a global threat research team.
Intelligence is power
As the threat landscape and organizations’ attack surfaces are continually changing, the capacity of bad actors to create and modify their tactics to meet this changing environment continues to pose a serious risk to enterprises of all sizes, regardless of sector or location.
In the second part of 2022, criminals were continuing to exploit known and new vulnerabilities – but not necessarily at end points. It’s information like this that helps organizations know how to prioritize their security teams’ time and plug the leakiest holes. Incorporating Red Zone threat intelligence into your security strategy will help you stay on top of the latest threats and better protect your organization.