Attackers exploiting bugs faster than ever, study warns

Over half of security flaws are exploited within seven days of public disclosure, highlighting that patching immediately is crucial to protect networks.

Security firm Rapid7 observed an 87% increase in first-week exploitation since 2020. In 2022, the median exploitation time was just one day.

The company released a report looking into fifty flaws, with over four in 10 arising from zero-day exploits. Only 14 vulnerabilities were exploited to deploy ransomware, signifying a 33% decrease from 2021.

Rapid7 experts believe this might indicate that ransomware gangs rely less on new vulnerabilities. It might also stem from other factors, such as lower reporting of incidents by victims.

“The ransomware ecosystem and the cybercrime economy have continued to mature and evolve,” said Caitlin Condon, Rapid7 vulnerability research manager. “We saw many more ransomware families actively compromising organizations in 2022, which naturally creates challenges for threat tracking and reporting.”

Rapid7 grouped vulnerabilities into three categories: threats, widespread threats, and impending threats. Widespread vulnerabilities, likely to impact many organizations, amount to 56% of the company’s bug dataset.

“Common payloads dropped during mass exploitation included cryptocurrency miners, web shells, and a variety of botnet malware in addition to an ever more diverse set of ransomware payloads,” Rapid7 said.

Among the celebrity vulnerabilities, Rapid7 mentions Log4Shell – it was widely exploited during the first weeks of 2022.

“In particular, VMware vCenter and Horizon servers saw sustained mass attacks, prompting warnings from CISA and the UK’s National Health Service (NHS), in addition to security company communications about observed exploitation. Rapid7 managed services teams observed exploitation across dozens of customers in January. Attackers also targeted Ubiquiti UniFi controllers and Zyxel devices, both of which offered initial access vectors.”

Ransomware operators picked up another celebrity vulnerability – Follina, a Microsoft zero-day bug discovered in May. Rapid7 observed that the “overwhelming majority of detections were security personnel testing proofs of concept, or the occasional pentester executing a social engineering operation.”

Researchers also pointed to the Australian technology company Atlassian zero-day remote code execution (RCE) vulnerability. RCEs are particularly dangerous as they allow threat actors to gain full control of a vulnerable system without credentials.

“The Confluence [software] vulnerability offered a classic example of ‘many attackers, many targets,’ as ransomware groups, cryptocurrency mining campaigns, and state-sponsored threat actors leveraged CVE-2022-26134 for nefarious ends,” the Rapid7 report added.