Many
vulnerabilities
that
ransomware
operators
used
in
2022
attacks
were
years
old
and
paved
the
way
for
the
attackers
to
establish
persistence
and
move
laterally
in
order
to
execute
their
missions.
The
vulnerabilities,
in
products
from
Microsoft,
Oracle,
VMware,
F5,
SonicWall,
and
several
other
vendors,
present
a
clear
and
present
danger
to
organizations
that
haven’t
remediated
them
yet,
a
new
report
from
Ivanti
revealed
this
week.
Old
Vulns
Still
Popular
Ivanti’s
report
is
based
on
an
analysis
of
data
from
its
own
threat
intelligence
team
and
from
those
at
Securin,
Cyber
Security
Works,
and
Cyware.
It
offers
an
in-depth
look
at
vulnerabilities
that
bad
actors
commonly
exploited
in
ransomware
attacks
in
2022.
Ivanti’s
analysis
showed
that
ransomware
operators
exploited
a
total
of
344
unique
vulnerabilities
in
attacks
last
year—an
increase
of
56
compared
to
2021.
Of
this,
a
startling
76%
of
the
flaws
were
from
2019
or
before.
The
oldest
vulnerabilities
in
the
set
were
in
fact
three
remote
code
execution
(RCE)
bugs
from
2012
in
Oracle’s
products:
CVE-2012-1710
in
Oracle
Fusion
middleware
and
CVE-2012-1723
and
CVE-2012-4681
in
the
Java
Runtime
Environment.
Srinivas
Mukkamala,
Ivanti’s
chief
product
officer,
says
that
while
the
data
shows
ransomware
operators
weaponized
new
vulnerabilities
faster
than
ever
last
year,
many
continued
to
rely
on
old
vulnerabilities
that
remain
unpatched
on
enterprise
systems.
“Older
flaws
being
exploited
is
a
by-product
of
the
complexity
and
time-consuming
nature
of
patches,”
Mukkamala
says.
“This
is
why
organizations
need
to
take
a
risk-based
vulnerability
management
approach
to
prioritize
patches
so
that
they
can
remediate
vulnerabilities
that
pose
the
most
risk
to
their
organization.”
The
Biggest
Threats
Among
the
vulnerabilities
that
Ivanti
identified
as
presenting
the
greatest
danger
were
57
that
the
company
described
as
offering
threat
actors
capabilities
for
executing
their
entire
mission.
These
were
vulnerabilities
that
allow
an
attacker
to
gain
initial
access,
achieve
persistence,
escalate
privileges,
evade
defenses,
access
credentials,
discover
assets
they
might
be
looking
for,
move
laterally,
collect
data,
and
execute
the
final
mission.
The
three
Oracle
bugs
from
2012
were
among
25
vulnerabilities
in
this
category
that
were
from
2019
or
older.
Exploits
against
three
of
them
(CVE-2017-18362,
CVE-2017-6884,
and
CVE-2020-36195)
in
products
from
ConnectWise,
Zyxel,
and
QNAP,
respectively,
are
not
currently
being
detected
by
scanners,
Ivanti
said.
A
plurality
(11)
of
the
vulnerabilities
in
the
list
that
offered
a
complete
exploit
chain
stemmed
from
improper
input
validation.
Other
common
causes
for
vulnerabilities
included
path
traversal
issues,
OS
command
injection,
out-of-bounds
write
errors,
and
SQL
injection.
Widely
Prevalent
Flaws
Are
Most
Popular
Ransomware
actors
also
tended
to
prefer
flaws
that
exist
across
multiple
products.
One
of
the
most
popular
among
them
was
CVE-2018-3639,
a
type
of
speculative
side-channel
vulnerability
that
Intel
disclosed
in
2018.
The
vulnerability
exists
in
345
products
from
26
vendors,
Mukkamala
says.
Other
examples
include
CVE-2021-4428,
the
infamous
Log4Shell
flaw,
which
at
least
six
ransomware
groups
are
currently
exploiting.
The
flaw
is
among
those
that
Ivanti
found
trending
among
threat
actors
as
recently
as
December
2022.
It
exists
in
at
least
176
products
from
21
vendors
including
Oracle,
Red
Hat,
Apache,
Novell,
and
Amazon.
Two
other
vulnerabilities
ransomware
operators
favored
because
of
their
widespread
prevalence
are
CVE-2018-5391
in
the
Linux
kernel
and
CVE-2020-1472,
a
critical
elevation
of
privilege
flaw
in
Microsoft
Netlogon.
At
least
nine
ransomware
gangs
including
those
behind
Babuk,
CryptoMix,
Conti,
DarkSide,
and
Ryuk,
have
used
the
flaw,
and
it
continues
to
trend
in
popularity
among
others
as
well,
Ivanti
said.
In
total,
the
security
found
that
some
118
vulnerabilities
that
were
used
in
ransomware
attacks
last
year
were
flaws
that
existed
across
multiple
products.
“Threat
actors
are
very
interested
in
flaws
that
are
present
in
most
products,”
Mukkamala
says.
None
on
the
CISA
List
Notably,
131
of
the
344
flaws
that
ransomware
attackers
exploited
last
year
are
not
included
in
the
US
Cybersecurity
and
Infrastructure
Security
Agency’s
closely
followed
Known
Exploited
Vulnerabilities
(KEV)
database.
The
database
lists
software
flaws
that
threat
actors
are
actively
exploiting
and
which
CISA
assesses
as
being
especially
risky.
CISA
requires
federal
agencies
to
address
vulnerabilities
listed
in
the
database
on
a
priority
basis
and
usually
within
two
weeks
or
so.
“It’s
significant
that
these
aren’t
in
CISA’s
KEV
because
many
organizations
use
the
KEV
to
prioritize
patches,”
Mukkamala
says.
That
shows
that
while
KEV
is
a
solid
resource,
it
doesn’t
provide
a
full
view
of
all
the
vulnerabilities
being
used
in
ransomware
attacks,
he
says.
Ivanti
found
that
57
vulnerabilities
used
in
ransomware
attacks
last
year
by
groups
such
as
LockBit,
Conti,
and
BlackCat,
had
low-
and
medium-severity
scores
in
the
national
vulnerability
database.
The
danger:
this
could
lull
organizations
who
use
the
score
to
prioritize
patching
into
a
false
sense
of
security,
the
security
vendor
said.
About Author
