The number of software vulnerabilities discovered annually continues to grow, with total vulnerabilities discovered in a year fast approaching the 30,000 mark. But it’s important for cybersecurity teams to identify precisely which vulnerabilities attackers are actually exploiting. Changes in the list of criminals’ favorite vulnerabilities greatly influence which updates or countermeasures should be prioritized. That’s why we regularly monitor these changes. Thus, here are the conclusions that can be drawn from our Exploit and Vulnerability Report for Q1 2024.
Vulnerabilities are becoming increasingly critical; exploits — easily available
Thanks to bug bounty programs and automation, vulnerability hunting has increased significantly in scale. This means vulnerabilities are discovered more frequently, and when researchers find an interesting attack vector, the first identified vulnerability is often followed by a whole series of others — as we recently saw with Ivanti solutions. 2023 set a five-year record for the number of critical vulnerabilities found. At the same time, vulnerabilities are becoming increasingly accessible to an ever-wider range of attackers and defenders — for more than 12% of discovered vulnerabilities’ proofs of concept (PoC) became publicly available shortly after.
Exponential growth of Linux threats
Although the myth that “no one attacks Linux” has already been dispelled, many specialists still underestimate the scale of Linux threats. Over the last year, the number of exploited CVEs in Linux and popular Linux applications increased more than threefold. The lion’s share of exploitation attempts target servers, as well as various devices based on *nix systems.
A striking example of the interest of attackers in Linux was the multi-year operation to compromise the XZ library and utilities in order to create an SSH backdoor in popular Linux distributions.
OSs contain more critical flaws, but other applications are exploited more often
Operating systems were found to contain the most critical vulnerabilities with available exploits; however, critical defects in OSs are rarely useful for initially penetrating an organization’s information infrastructure. Therefore, if you look at the top vulnerabilities actually exploited in APT cyberattacks, the picture changes significantly.
In 2023, the top spot in the exploited vulnerabilities list changed: after many years of its being MS Office, WinRAR took its place with CVE-2023-38831 — used by many espionage and criminal groups to deliver malware. However, the second, third, and fifth places in 2023 were still occupied by Office flaws, with the infamous Log4shell joining them in fourth place. Two vulnerabilities in MS Exchange were also among the most frequently exploited.
In first quarter of 2024, the situation has changed completely: very convenient security holes in internet-accessible services have opened up for attackers, allowing mass exploitation — namely in the MSP application ConnectWise, and also Ivanti’s Connect Secure and Policy Secure. In the popularity ranking, WinRAR has dropped to third place, and Office has disappeared from the top altogether.
Organizations are too slow in patching
Only three vulnerabilities from the top 10 last year were discovered in 2023. The rest of the actively exploited CVEs date back to 2022, 2020, and even 2017. This means that a significant number of companies either selectively update their IT systems or leave some issues unaddressed for several years without applying countermeasures at all. IT departments can rarely allocate enough resources to patch everything on time, so a smart medium-term solution is to invest in products for automatic detection of vulnerable objects in IT infrastructure and software updating.
The first weeks after a vulnerability is publicly disclosed are the most critical
Attackers try to take full advantage of newly published vulnerabilities, so the first weeks after an exploit appears see the most activity. This should be considered when planning update cycles. It’s essential to have a response plan in case a critical vulnerability appears that directly affects your IT infrastructure and requires immediate patching. Of course, the automation tools mentioned above greatly assist in this.
New attack vectors
You can’t focus only on office applications and “peripheral” services. Depending on an organization’s IT infrastructure, significant risks can arise from the exploitation of other vectors — less popular but very effective for achieving specific malicious goals. Besides the already mentioned CVE-2024-3094 in XZ Utils, other vulnerabilities of interest to attackers include CVE-2024-21626 in runc — allowing escape from a container, and CVE-2024-27198 in the CI/CD tool TeamCity — providing access to software developer systems.
Protection recommendations
Maintain an up-to-date and in-depth understanding of the company’s IT assets, keeping detailed records of existing servers, services, accounts, and applications.
Implement an update management system that ensures the prompt identification of vulnerable software and patching. The Kaspersky Vulnerability Assessment and Patch Management solution combined with the Kaspersky Vulnerability Data Feed is ideal for this.
Use security solutions capable of both preventing the launch of malware and detecting and stopping attempts to exploit known vulnerabilities on all computers and servers in your organization.
Implement a comprehensive multi-level protection system that can detect anomalies in the infrastructure and targeted attacks on your organization, including attempts to exploit vulnerabilities and the use of legitimate software by attackers. For this, the Kaspersky Symphony solution, which can be adapted to the needs of companies of varying size, is perfectly suited.