15 minutes: the gap between CVE disclosures and first hacker scans

15 minutes: the gap between CVE disclosures and first hacker scans

Image:
15 minutes: the gap between CVE disclosures and first hacker scans

ProxyShell was the most exploited flaw for initial access in the first half of 2022, according to Palo Alto Networks researchers

Threat actors now begin scanning for newly-discovered vulnerabilities within 15 minutes of a disclosure in order to quickly attack high-profile zero-day flaws.

That's according to Palo Alto Networks' annual Unit 42 incident response report which warns of a closing gap between vulnerability disclosures and attacks and urges businesses to operate a well-defined patch management policy.

According to the report, hackers are continuously monitoring bulletin boards of software vendors for fresh vulnerability disclosures that they may use to get initial access to a business network or to execute remote malware.

"The 2022 Attack Surface Management Threat Report found that attackers typically start scanning for vulnerabilities within 15 minutes of a CVE being announced," the Unit 42 says.

As an example, Unit 42 discusses CVE-2022-1388, a major flaw announced in May this year, which affects F5 BIG-IP products and allows for the unauthenticated remote execution of commands.

"Palo Alto Networks released a Threat Prevention signature for the F5 BIG-IP Authentication Bypass Vulnerability (CVE-2022-1388), and within just 10 hours, the signature triggered 2,552 times due to vulnerability scanning and active exploitation attempts."

Based on the data gathered by Palo Alto Networks, the ProxyShell exploit chain was the most exploited flaw for initial access, with a 55% exploit rate, in the first half of 2022. Log4J (14%) came in second, followed by SonicWall (7%), ProxyLogon (5%), and Zoho ManageEngine ADSelfService Plus (4%).

Phishing (37%), known software vulnerabilities (31%) and brute force credential assaults (9%) were the top initial access vectors for adversaries.

Other access vectors included previously compromised credentials (6%), insider threat (5%), social engineering (5%), abuse of trusted relationships (4%) and others (3%).

Over the past year, the bulk of the cases that Unit 42 responded to were related to ransomware and business email compromise (BEC), which together accounted for nearly 70% of all incidents.

In the report, Unit 42 found finance and real estate as the industries that received the highest average ransom demands - nearly $8 million and $5.2 million, respectively.

In half of all incident response cases, Unit 42 investigators found that firms lacked multifactor authentication on crucial internet-facing systems, such as corporate webmail, virtual private network (VPN) solutions, or other remote access solutions.

In 13% of cases, enterprises did not have any mitigation in place to ensure account lockout for brute-force credential attacks.

Poor patch management practises were a factor in the success of threat actors in 28% of cases.

In 44% of cases, enterprises lacked endpoint detection and response (EDR) or extended detection and response (XDR) security solutions, or they had only partially installed them on the systems that had been previously compromised.

In 75% of situations involving insider threats, a former worker was involved.