Known Vulnerabilities Drove Most Cyberattacks in 2022
New research revealed an all-too-familiar theme: Known vulnerabilities for which patches have been issued were the main way threat actors executed cyberattacks in 2022.
“The data highlights that long-known vulnerabilities frequently cause more destruction than the shiny new ones,” Bob Huber, CSO and head of research, Tenable, said in a release detailing the findings in the company’s 2022 Threat Landscape Report.
“Cyberattackers repeatedly find success exploiting these overlooked vulnerabilities to obtain access to sensitive information,” Huber said. “Numbers like these conclusively demonstrate that reactive post-event cybersecurity measures aren’t effective at mitigating risk. The only way to turn the tide is to shift to preventive security and exposure management.”
Among the most exploited of those vulnerabilities are “several high-severity flaws in Microsoft Exchange, Zoho ManageEngine products and virtual private network solutions from Fortinet, Citrix and Pulse Secure,” Tenable noted.
“For the other four most commonly exploited vulnerabilities—including Log4Shell; Follina; an Atlassian Confluence Server and Data Center flaw; and ProxyShell—patches and mitigations were highly publicized and readily available,” the release said. “In fact, four of the first five zero-day vulnerabilities exploited in the wild in 2022 were disclosed to the public on the same day the vendor released patches and actionable mitigation guidance.”
Tense geopolitics, hacktivism, ransomware and attacks targeting critical infrastructure made it difficult for cybersecurity teams and resources to keep up with demand.
“Even as the world faced these challenges, events we observed throughout the year represented a fairly typical year in cybersecurity. Attacks against critical infrastructure remained a common concern,” researchers said in the report.
“Ransomware continued to wreak havoc, even as some groups had operations shuttered by law enforcement, collapsed under the weight of internal power struggles or splintered into new groups,” they explained. “New vulnerabilities emerged and reliable remediation posed challenges for defenders.”
Old News, New Threats
But it was familiar flaws that laid the path for cyberattacks, Tenable said.
“Tenable’s research confirms that the threat landscape is shifting to more diverse types of threats, more threats that avoid traditional security solutions, and that the aim of cybercriminals is expanding beyond data,” said Bud Broomhead, CEO at Viakoo.
“A key takeaway for security leaders is to ensure their security posture extends to all parts of the organization, especially IoT/OT devices,” Broomhead said. “The shift toward operating system vulnerabilities, in particular, is a sign that threat actors are aiming for a broader set of systems and with unprotected IoT/OT devices containing many shared operating system elements (especially Linux) with IT systems, there needs to be more focus on preventing IoT/OT exploits.”
The security problems were exacerbated by the widespread adoption of a cloud-first posture, which may let businesses grow and scale, but “also introduced new forms of risk, as silent patches and security hardening are often completed by cloud service providers (CSPs) without any notice.”
Flaws that impacted CSPs “are not reported in a security advisory, assigned a CVE identifier or mentioned in release notes,” Tenable said. “This lack of transparency makes it challenging for security teams to accurately assess risk and report to stakeholders.”
And the landscape is likely to grow darker as generative AI is adopted by hackers. “Zero-day attacks are one of the biggest security challenges facing enterprises right now, and the increase in the number of zero-hour attacks being exploited in the wild demonstrates how hackers are paying attention to what works and what gets stopped. Hackers are constantly adapting and changing tactics until they find success, and as threat actors continue to leverage new generative AI, this will only get worse,” said Patrick Harr, CEO at SlashNet. “For example, threat actors leverage ChatGPT to essentially spin up countless variations of zero-day attacks.”
The role of humans in making companies more vulnerable should not be overlooked, either. “The important thing to realize is that while we focus on zero-days and vulnerabilities, the biggest vulnerability that every organization has is its human vulnerability,” said John Bambenek, principal threat hunter at Netenrich.
“It is simply far too easy for people to make mistakes that lead to breaches … part of that ease of mistakes also explains why there are so many vulnerabilities, as it’s easy to make software engineering mistakes,” Bambenek said. “All of this points to the need to make our tech stack more resilient against error and, eventually, we’ll have to temper the eagerness of the ‘move fast and break things’ mentality of DevOps with the reality of all the harm that comes along with that approach.”
