Ransomware actors increasingly weaponizing old vulnerabilities

Old vulnerabilities are increasingly exploited by ransomware actors, according to a new joint vendor research report published Thursday.

The report, titled "Ransomware Spotlight Report 2023," is a collaboration between security vendors Cyber Security Works (CSW), Cyware, Ivanti and Securin, sharing ransomware research collected over the previous year. CSW, a managed security services firm and Department of Homeland Security-sponsored CVE numbering authority, authored the report, while Ivanti, which specializes in asset visibility, and Securin, which focuses on attack surface management, provided much of the research data.

The report focused primarily on the intersection of vulnerabilities and ransomware, which has become increasingly common. CSW noted that since it began publishing reports on vulnerability exploitation patterns in early 2021, "there has never been a quarter where the number of vulnerabilities associated with ransomware has not increased."

The report identified 56 vulnerabilities last year that have become newly associated with ransomware, bringing the total count to 344, which is a 19% increase from the previous year. The report also found 57 "extremely dangerous" flaws that can be exploited individually in a complete kill chain from initial access to data exfiltration.

The research paid special attention to old flaws, which the report defined as any vulnerability discovered in 2019 or earlier. Of the 56 flaws newly associated with ransomware in 2022, 20 were considered old, and 76% of all ransomware-associated vulnerabilities tracked in the report were discovered between 2010 and 2019.

"Ransomware gangs are persistently going after old vulnerabilities and have been weaponizing them systematically," the report read. "Out of the 264 old vulnerabilities, 208 of them have exploits that are publicly available. Of these, 131 have RCE/PE [remote code execution or privilege escalation] exploits, which make them extremely dangerous. What is more worrying is the fact that 119 of them are actively trending in the deep and dark web as a point of interest for hackers."

One additional danger with old CVEs being given new life through ransomware, CSW noted, is that many CVSS scores don't account for situations where an old, seemingly low-severity vulnerability is exploited years later. One example provided was the 2013 IBM InfoSphere BigInsights flaw CVE-2013-3993, which has a low CVSSv2 score of 3.5 -- and no CVSSv3 score due to its age.

An exploit was published in May 2022, and the flaw is now associated with ransomware gangs Petya and Locky. But because the flaw is considered old and has a low CVSS score, an organization might incorrectly prioritize the flaw.

Ivanti and Securin additionally provided a series of data points about weaknesses in the vulnerability awareness-raising process. The report specifically called attention to CISA's Known Exploited Vulnerabilities (KEV) catalog, claiming that 131 vulnerabilities associated with ransomware -- of the aforementioned 344 -- are yet to be included, and 111 of those are considered old.

Ivanti chief product officer Dr. Srinivas Mukkamala provided two reasons to TechTarget Editorial for why so many flaws are absent from the KEV catalog. The first is that the vulnerabilities are weaponized quickly, and the second is that many don't have remediations -- a requirement for the catalog.

"Not all vulnerabilities that threat actors exploit have a patch immediately available," Mukkamala wrote. "By the time they are known and disclosed, it is a race against time as threat actors add the vulnerability to their arsenal. Threat actors have increasingly sophisticated tools at their disposal that is enabling them to weaponize vulnerabilities within days (and sometimes hours) of vulnerabilities being disclosed."

According to CSW, 20 vulnerabilities newly associated with ransomware have not yet been integrated into popular scanners, including Tenable's Nessus, Rapid7's Nexpose and Qualys. As for why this might be the case, the report noted that 18 of the flaws are old CVEs discovered from 2010 to 2019.

"Legacy systems, unmanaged and unpatched components, and unknown shadow IT assets are favorite entry points for attackers," the report read. "The continuous weaponization of old vulnerabilities reveals that adversaries love anything that would provide them an easy entry. Compound this with the fact that they exist in assets that you know nothing about, and your scanners do not detect them: it is a recipe for a perfect storm."

One more reason for the reliance on old vulnerabilities is their ease of use for less experienced threat actors relying on something like ransomware-as-a-service to conduct attacks. Mukkamala said that tried and true vulnerabilities with years of knowledge are, generally speaking, easier for actors to exploit.

"For threat actors, if they can continuously exploit legacy software successfully, why would they stop?" he said. "The natural follow-up questions is 'Why are organizations not patching or still using exploitable legacy software that is no longer supported by the vendor?' Whether it’s the cost or simply wanting to avoid the business disruption of replacing software and systems, organizations are frequently inclined to stick with what they have if it is working. Yet in so doing, they often lack a complete understanding of the extent to which they are leaving themselves vulnerable and are unaware of the number of bad actors searching for vulnerabilities to exploit."

CSW emphasized that organizations can't get an accurate picture of these threats because of "gaping information holes" within the National Vulnerability Database and Mitre, as well as shortcomings with CISA's KEV and the CVSS.

"One of the many things discovered during our research in the past year is that security teams have been fighting this menace with a blindfold on their eyes in addition to their hands tied behind their backs," CSW wrote. "It is no wonder that adversaries are winning this game."

Alexander Culafi is a writer, journalist and podcaster based in Boston.