Rapid7: Attackers exploiting vulnerabilities 'faster than ever'
Rapid7's 2022 Vulnerability Intelligence Report analyzed how attackers' increasing speed in deploying exploits affected an onset of widespread threats in 2022.
Attackers continue to develop and deploy exploits at an alarming pace, emphasizing the need to instill and maintain strong vulnerability management programs, according to new research by Rapid7.
The security vendor on Tuesday published its 2022 Vulnerability Intelligence Report authored by Caitlin Condon, senior manager of security research; Ron Bowes, lead security researcher; and Erik Galinkin, principal AI researcher. The annual report analyzed 50 vulnerabilities that posed a significant risk to organizations of all sizes in last year, including 45 flaws that were exploited in the wild, 44% of which were zero-day vulnerabilities.
While the report, which focused on widespread threats, highlighted good and bad news for enterprises, Rapid7's research made it clear that security teams are facing daunting difficulties when it comes to staying ahead of attackers exploiting vulnerabilities.
One of the top takeaways centered on what Rapid7 tracks as "Time to Known Exploitation" (TTKE) -- the time frame between when a vulnerability is publicly disclosed and when reports of exploitation in the wild start.
While timely patching remains a problem due to lack of resources and a variety of other factors, the TTKE provides an urgency to potential threats. Last year, Rapid7 observed an increase in the TTKE, which grew to 24.5 days from just 12 days in 2021.
However, despite that improvement, the researchers warned that "averages are fickle creatures" and highlighted other alarming metrics. In 2021, for example, Rapid7 researchers found more than half of the vulnerabilities it tracked were exploited within seven days of public disclosure, and 58% within two weeks.
"Attackers are still developing and deploying exploits faster than ever," the authors wrote in the report. "56% of the vulnerabilities in this report were exploited within seven days of public disclosure --a 12% rise over 2021 and an 87% rise over 2020. If we look at the median value instead of taking the average, median time to exploitation in 2022 was one day across the vulnerabilities we've included in this report."
That small window was demonstrated earlier this month when threat actors attempted to exploit a Fortinet FortiNAC remote code execution flaw, tracked as CVE-2022-39962, five days after it was publicly disclosed.
Calculating the TTKE value can be difficult, the report noted, due to vendors having different definitions when it comes to "public" or "disclosed." For example, the researchers mentioned a remediated flaw in Spring Cloud Function, tracked as CVE-2022-22963, that was published to a public GitHub repository on March 24, 2022, without documenting a CVE or security issue.
Akamai reported exploitation in the wild beginning on March 27, two days before a patched version and official CVE were published.
"We chose to use '0' as our TTKE value for CVE-2022-22963, since it's unreasonable to expect the general public (including Spring Cloud customers) to examine individual GitHub commits for potential security implications," the report said.
The researchers also noted coordinated vulnerability disclosure is not always coordinated and highlighted concerns with silent patching. For example, there was a heap-based overflow vulnerability, tracked as CVE-2022-42475, in Fortinet's FortiOS SSL VPN. Fortinet privately informed customers on December 7 but did not publicly disclose it until December 12, two weeks after it was silently patched on Nov. 28.
TTKE calculations aside, Rapid7 researchers emphasized how silent patching like Fortinet's gives attackers a head start.
"When the advisory was published, it included a note that Fortinet was 'aware of an instance where this vulnerability was exploited in the wild,' but failed to specify whether the flaw had been exploited by threat actors before they released a fixed version -- which they evidently did silently on November 28, 2022, potentially giving adversaries time to reverse engineer the patch and develop exploits before customers knew there was even a remediation to implement," the authors wrote.
Good news, bad news
Another persistent problem on the threat landscape was zero-day exploits, which the report emphasized "have become the new normal" over the past two years. For 2022, Rapid7 discovered that 44% percent of exploited vulnerabilities were zero days. In 2021, that number was marginally higher at 52%.
Condon told TechTarget that Rapid7 initially produced the report because of an uptick in both scale and speed of exploiting new vulnerabilities by skilled adversaries beginning in late 2019.
"This year, I think we saw a 15% drop in widespread threats from 2021, but 2021 was absolutely bonkers," Condon said. "Some of the drop in widespread exploitation and in zero-day exploitation as a raw number for widespread threats, not necessarily overall. Those are good research [and] reportable findings from our point of view. But it's important to keep in mind that for actual practitioners, there was no relief here."
Similarly, the number of vulnerabilities that led to ransomware also decreased. Rapid7 confirmed 14 of the CVEs in its vulnerability dataset were used in ransomware attacks in 2022 -- a 33% decrease year over year. However, that doesn't necessarily signal a drop in overall ransomware activity. A lack of ransomware reporting and the expansion of initial access brokers may have affected the overall number, according to the report.
Condon said the number of ransomware incidents Rapid7 responded to was up last year. There was a massive diversification in the number of ransomware families behind the attacks.
"There was a period where [the ransomware families] didn't repeat," Condon said. "When this type of diversification is happening and going through a boom period, I think naturally it makes it harder to say it was definitely this CVE or this particular initial access point."
Additionally, Condon warned initial access brokers may not sell access to compromised systems for months, blurring the exact attack chain and timeline.
"I think in 2021, anything that was being exploited by ransomware groups, we called a widespread threat," Condon said. "I don't think we necessarily went into that in this year's report. But that's no longer the de facto categorization because ransomware has gotten pretty specialized."
Condon highlighted issues with using the CVE system as a means of assessing risk, particularly when it comes to the common vulnerability scoring system. While scores were never intended as a prioritization mechanism, she recognized that enterprises don't have easy access to better resources.
To defend against fast exploitation and nation-state-level attacks, Condon said enterprises need to get the fundamentals right first, such as implementing a strong vulnerability management program and centralized logging.
"The really basic things are really hard. And that is a very difficult message, I think, for an industry that's really interested in and obsessed sometimes with innovation and the most cutting-edge solution," Condon said. "That kind of paradox is working against us."
Arielle Waldman is a Boston based reporter covering enterprise security news.