Flashpoint: Threat vectors converging, increasing damage

Cyberthreats are converging as attackers increasingly combine known vulnerabilities with stolen credentials and exposed data to compromise enterprises, according to new Flashpoint research.

The vendor's inaugural "State of Cyber Threat Intelligence 2023" report, released Thursday, examined threats and identified trends from 2022 to highlight upcoming security challenges enterprises might face. The data was derived from Flashpoint's threat intelligence team, which consists of more than 100 researchers, and its collections that use AI, machine learning and natural language processing models to search for relevant information.

The report's main takeaway -- and challenge for defenders -- is how threat vectors are converging, as well as the "cyclical" nature of attackers' tactics, techniques and procedures in the cybercriminal ecosystem.

"Organizations cannot afford to view, prepare for, mitigate, and prevent these threats in silos, as though one threat (and the cycle it exists in) is separate from another," Flashpoint wrote in the report.

One example is the way threat actors take advantage of CVEs, stolen credentials and exposed data. Flashpoint collections determined that 4,518 data breaches were reported last year, resulting in 22.62 billion exposed or stolen credentials and personal records.

Ian Gray, director of research and analysis at Flashpoint, told TechTarget Editorial that Flashpoint is seeing low-level attacks using stolen credentials obtained purely from off-the-shelf brute forcing and credential stuffing tactics. However, these simple methods can inflict significant damage.

The stolen credentials typically come from previously known breaches or compromises and can be leveraged until an account service gets burned or the credentials are reset. They can also be used as an extortion tactic against large companies.

"We've seen a number of threat actors use what I would call really low-sophistication attacks for high impact," Gray said. "A given set of credentials, which may cost a few dollars on a marketplace, can elicit thousands, hundreds of thousands or millions of dollars' worth of damage for an attack."

The report noted how exposed records such as financial information, emails and Social Security numbers were used to deploy phishing campaigns. Another threat vector that garnered significant attention from attackers was known vulnerabilities. There were 26,900 vulnerabilities reported last year, according to the report, and 55% were remotely exploitable.

"This brings the total number of known vulnerabilities to 306,000 -- with the Common Vulnerabilities and Exposures (CVE) and the National Vulnerability Database (NVD) failing to report 97,000," the report read.

Flashpoint researchers told TechTarget Editorial that there are vulnerabilities missing from the NVD because the way flaws are fundamentally collected is not conducive to broad coverage. While there are some approved cases in which companies can assign and use CVE IDs without Mitre oversight, most of the time Mitre relies on a model that requires researchers and companies to report and disclose to them.

"That leads to cases where coverage for some vendors is fairly comprehensive while also missing thousands of vulnerabilities every year disclosed via researcher blogs and vendors that are not part of their federation," the researchers said in a statement to TechTarget Editorial.

It's clear that attackers are leveraging and exploiting known vulnerabilities, and timely patching of those CVEs continues to be a problem -- of which threat actors are fully aware.

By monitoring communication channels and illicit markets, the Flashpoint intelligence team observed 766 instances in which threat actors referred to a vulnerability by its CVE. Overall, the data revealed 1.1 million threat actor mentions of CVEs.

Flashpoint provided a list of the top mentioned CVEs. Unsurprisingly, the Apache Log4j flaw, tracked as CVE-2021-44228, that caused prolonged challenges for vulnerable organizations was listed as the top flaw for January 2022. It was publicly disclosed in December 2021.

More recently, threat actors eyed the critical Fortinet authentication bypass vulnerability, tracked as CVE-2022-40684, that was publicly disclosed in October. The advisory revealed that the flaw was being actively exploited and affected multiple Fortinet services. Flashpoint listed it as the most mentioned CVE from October through December.

Because those vulnerabilities saw "the most active discussions and could result in remote code execution," Flashpoint recommended that enterprises prioritize patching any on that list.