Breaches involving phishing and credential compromise have received a lot of attention in recent years because of how frequently threat actors have employed the tactics in executing both targeted and opportunistic attacks. But that doesn't mean that enterprise organizations can afford to lessen their focus on vulnerability patching one bit.
A report from Kaspersky this week identified more initial intrusions last year resulting from exploitation of vulnerabilities in Internet-facing applications than breaches involving malicious emails and compromised accounts combined. And data the company has collected through the second quarter of 2022 suggests the same trend might be playing out this year as well.
Kaspersky's analysis of its 2021 incident-response data showed that breaches involving vulnerability exploits surged from 31.5% of all incidents in 2020 to 53.6% in 2021. Over the same period, attacks associated with the use of compromised accounts to gain initial access declined from 31.6% in 2020 to 17.9% last year. Initial intrusions resulting from phishing emails decreased from 23.7% to 14.3% during the same period.
Exchange Server Flaws Fuel the Exploit Frenzy
Kaspersky attributed the surge in exploit activity last year as likely tied to the multiple critical Exchange Server vulnerabilities that Microsoft disclosed, including a set of four zero-days in March 2021 known as the ProxyLogon flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065). When chained together they allowed attackers to gain complete remote control over on-premises Exchange Servers.
Attackers — which included organized criminal gangs and state-sponsored groups from China — quickly exploited tens of thousands of vulnerable Exchange Server systems and dropped Web shells on them before Microsoft could issue a patch for the flaws. The vulnerabilities evoked considerable concern because of their ubiquity and severity. They even prompted the US Department of Justice to authorize the FBI to take the unprecedented step of proactively removing ProxyLogon Web shells from servers belonging to hundreds of organizations — in most cases, without any notification.
Also driving the exploit activity in 2021 was another trio of Exchange Server vulnerabilities collectively labeled ProxyShell (CVE-2021-31207, CVE-2021-34473, CVE-2021-34523) that attackers used extensively to drop ransomware and in business email compromise (BEC) attacks.
More than a year later, the ProxyLogon and ProxyShell vulnerabilities continue to be targets of heavy exploit activity, says Konstantin Sapronov, head of Kaspersky's Global Emergency Response Team. One of the most severe of these flaws (CVE-2021-26855) has also been the most targeted. Kaspersky observed the vulnerability — part of the ProxyLogon set — being exploited in 22.7% of all incidents involving vulnerability exploits that it responded to in 2021, and the flaw continues to be a favorite among attackers this year as well, according to Sapronov.
Same Exploitation Trend Likely Playing Out in 2022
Even though several serious vulnerabilities have surfaced this year — including the ubiquitous Apache Log4j vulnerability (CVE-2021-44228) — the most exploited vulnerabilities of 2021 remain very prevalent in 2022 as well, Sapronov says, even beyond the Exchange server bugs. For instance, Kaspersky identified a flaw in Microsoft's MSHTML browser engine (CVE-2021-40444, patched last September) as the most heavily attacked vulnerability in the second quarter of 2022.
"Vulnerabilities in popular software such as MS Exchange Server and library Log4j have resulted in a huge number of attacks," Sapronov notes. "Our advice to enterprise customers is to pay close attention to patch management issues."
Time to Prioritize Patching
Others have noted a similar spike in vulnerability exploit activity. In April, researchers from Palo Alto Networks' Unit 42 threat research team noted how 31%, or nearly one in three incidents, they had analyzed up to that point in 2022 involved vulnerability exploits. In more than half (55%) of those, threat actors had targeted ProxyShell.
Palo Alto researchers also found threat actors typically scanning for systems with a just-disclosed flaw literally minutes after the CVE is announced. In one instance, they observed an authentication bypass flaw in an F5 network appliance (CVE-2022-1388) being targeted 2,552 times in the first 10 hours after vulnerability disclosure.
Post-Exploitation Activity is Tough to Spot
Kaspersky's analysis of its incident-response data showed that in nearly 63% of cases, attackers managed to stay unnoticed in a network for more than a month after gaining initial entry. In many cases, this was because the attackers used legitimate tools and frameworks such as PowerShell, Mimikatz, and PsExec to collect data, escalate privileges, and execute commands.
When someone did quickly notice a breach, it was typically because the attackers had created obvious damage, such as during a ransomware attack. "It's easy to detect a ransomware attack when your data is encrypted, as services are unavailable, and you have a ransom note on your monitor," Sapronov says.
But when the target is a company’s data, attackers need more time to roam around the victim’s network to collect necessary information. In such cases, attackers act more stealthily and cautiously, which makes these kinds of attacks harder to detect. "To detect such cases, we suggest employing a security tool stack with extended detection and response (EDR)-like telemetry and implement rules for detection of pervasive tools used by adversaries," he says.
Mike Parkin, senior technical engineer at Vulcan Cyber, says the real takeaway for enterprise organizations is that attackers will take any opportunity they can to breach a network.
"With a range of exploitable vulnerabilities, it’s not a surprise to see an uptick," he says. Whether the numbers are higher for vulnerabilities over socially engineered credential attacks, is hard to say, he notes.
"But the bottom line is threat actors will use the exploits that work. If there's a new remote code exploit on some Windows service, they’ll flock to it and breach as many systems as they can before the patches come out or firewall rules get deployed," he says.
The real challenge is the long-tail vulnerabilities: The ones that are older, like ProxyLogon, with vulnerable systems that have been missed or are ignored, Parkin says, adding that patching must be a priority.