Financially motivated cybercriminals always go for low–hanging fruit. That means leveraging existing attack tools rather than developing new ones, using the same attack on as many victims as possible and targeting mass amounts of devices. Research shows that in the last few months, those “fruits” have started to include assets that are generally more difficult to patch: servers.
According to Skybox Security’s inaugural Vulnerability and Threat Trends Report, during 2017, the vast majority of exploits affected server-side applications (76%), up 17 points since 2016. At the same time, the number of known vulnerabilities doubled.
That’s savvy, because for enterprises, dealing with server-side vulnerabilities is always more difficult: the higher-value assets require more consideration than simply if there is a patch available or not.
“As more functions rely on servers than on clients, organizations need to have the means to understand these server–side vulnerabilities in the context of the asset criticality, the surrounding topology and security controls and the exploit activity in the wild,” said Skybox Security CTO Ron Davidson. “Only then can they accurately decide the optimal patching priority and schedule.”
The increase in server-side exploits corresponds with the continued decline in the use of exploit kits relying on client-side vulnerabilities, which accounted for only a quarter of exploits in the wild in 2017. This is due in part to the demise of major exploit kit players like Angler, Neutrino and Nuclear, with no comparable front-runner rising to replace them.
“This does not mean, however, [that] exploit kits are gone,” said Marina Kidron, senior security analyst and group leader of the Skybox Research Lab. “If there’s one thing we know about cybercriminals, it’s that they’re constantly changing tactics, and so the next ‘exploit kit giant’ is very likely in development as we speak. We also suspect that some kits have gone private and are used exclusively by their developers in hopes of prolonging their viability.”
Instances of newly published sample exploit code have also increased, with the monthly average jumping 60% in 2017. With minimal adjustments – or none at all – attackers can turn these samples into fully functioning exploits for their own use. This scenario was the case with the NSA EternalBlue exploit leaked by The Shadow Brokers and used in the WannaCry and NotPetya attacks, among others. Such leaks are putting advanced attack tools in the hands of lower–skilled cyberattackers, enhancing the capabilities of an already well–outfitted threat landscape, the firm noted.
“Organizations need to stay up to speed with not only active exploits in the wild,” said Kidron, “but also factor in vulnerabilities with available exploit code to their prioritization processes. While the latter set doesn’t represent an imminent threat, they can make the jump to active exploitation very quickly – security teams need actionable intelligence at the ready when they do.”
The report also shows that in 2017 there was a 120% increase in new vulnerabilities specific to operational technology (OT), compared to the previous year (OT includes monitoring and control devices common in critical infrastructure organizations such as energy producers, utilities and manufacturers, among others). This spike is particularly concerning as many organizations have poor or nonexistent visibility of the OT network, especially when it comes to vulnerabilities as active scanning is generally prohibited.
“OT is too often in the dark, and that means security management isn’t getting the full picture of cyber-risk in their organization,” said Kidron. “Even when patchable vulnerabilities are identified, OT engineers are understandably hesitant to install the update, as it could disrupt services, cause equipment damage or even risk life and limb. Organizations with OT networks need to have strategies in place not just for OT vulnerability assessment and patching prioritization but also to unify such processes with those in the IT network to truly understand and manage risk.”
Overall, new vulnerabilities cataloged by MITRE’s National Vulnerability Database doubled in 2017. The jump was largely due to organizational improvements at MITRE and increased security research by vendors and third parties, including vendor-sponsored bug bounty programs, Skybox Security found. The result is more than 14,000 newly assigned common vulnerabilities and exposures (CVEs).
“In 2017, if you were still relying on traditional prioritization methods like CVSS scores only, your laundry list just got longer,” said Davidson. “In the year ahead, we may well see an even higher figure. Organizations have got to take a drastically different approach to vulnerability management.”