With zero-day attacks rapidly eclipsing exploits of known flaws, CISOs face the specter of having to switch up their security strategies in favor of post-exploitation response.
That’s the key takeaway from security firm Rapid7’s newly released 2024 Attack Intelligence Report: With less time to react and deploy patches and mitigations when they learn of a new flaw that’s being actively exploited, CISOs must put post-exploitation controls and detections in place to limit the damage should attackers gain access to their network.
Over the past year mass attacks perpetrated through unpatched vulnerabilities (zero-days) exceeded those exploiting known flaws with patches available, according to Rapid7 researchers. Exploits against network edge devices, such as VPN appliances and security gateways, played a big role in that explosion, accounting for over a third of attacks.
Moreover, unlike most n-day exploits for known flaws, which are typically used by multiple threat actors once an exploit becomes available, zero-day exploits have been used mostly by single sophisticated adversaries that targeted dozens or hundreds of organizations in their attack campaigns, according to the researchers.
“These aren’t our grandparents’ cyberthreats — this is a mature, well-organized cybercrime ecosystem at work, with increasingly sophisticated mechanisms to gain access, establish persistence, and evade detection,” the researchers wrote in their report.
In response, CISOs would be wise to reassess their IT security strategies with shorter exploit cycles and post-incident response top of mind.
The shift to incident response
Rapid7 researchers tracked more than 60 vulnerabilities that saw widespread exploitation in 2023 and the beginning of this year. Of those, more than half were new flaws discovered during this period; of these new flaws, 53% were zero-days when initially found.
It’s worth noting that Rapid7 researchers consider a vulnerability to see mass or widespread exploitation when it is used in real-world attacks to target many organizations across different industry verticals and geolocations. The researchers note that they did not include zero-day flaws for which only a proof-of-concept exploit was published on the internet in their tracking.
They also didn’t count exploitation attempts against the thousands of honeypots put up by security companies around the world as actual attacks because doing so would skew the perception of how widespread a threat is, potentially distracting organizations from prioritizing where to direct their limited resources.
“Organizations should expect to conduct incident response investigations that look for indicators of compromise (IOCs) and post-exploitation activity during widespread threat events in addition to activating emergency patching protocols,” the researchers advised.
Shorter exploit cycles, more security strain
The number of zero-day exploits has exploded since 2021 and the type of threat actors using them is not limited to state-sponsored cyberespionage groups, but also cybercrime gangs pushing ransomware and crypto mining malware. In 2020, n-day exploits outnumbered 0-days 3 to 1; by 2021, 0-days accounted for over half of widespread attacks, never to return back to previous levels.
“Since 2021, Rapid7 researchers have tracked the time between when vulnerabilities become known to the public and when they are (reliably) reported as exploited in the wild,” the researchers said. “This window, which we call ‘Time to Known Exploitation,’ or TTKE, has narrowed considerably in the past three years, largely as a result of prevalent zero-day attacks.”
Zero-day attacks have a TTKE of 0, because the flaws get exploited before they’re publicly known. As such, it’s hard to draw a relevant conclusion by calculating average TTKEs, but the researchers point out that of all flaws (0-day and n-day) tracked since 2021, 55% were exploited within the first week after public disclosure and 60% within the first two weeks. This is a big difference to 2020 when 30% were exploited during the first week and 32% in the first two weeks.
The conclusion is clear: With attack cycles shortening, IT security professionals have less time to rely on patches and mitigations, and now must spend more time attempting to limit the damage attackers can do by focusing on post-exploitation controls and detections.
This shift and subsequent scramble are leading to additional strain on security teams.
“Technologies like endpoint detection and response (EDR) are key components of a defense-in-depth strategy, but we believe that business leaders should be aware that combating and preventing modern cyberthreats continues to require human expertise in addition to technology,” the researchers warn. “More than ever, burnout and brain drain on security teams compound risk from well-resourced, motivated adversary operations.”
MFA can make a big difference
During the reporting period, Rapid7’s managed detection and response (MDR) team tracked over 5,600 ransomware incidents from public reporting and its own investigations, noting that this is a very conservative number, as many such incidents continue to go unreported. Some ransomware groups have used zero-day exploits, particularly against managed file transfer (MFT) applications, but also collaboration tools and network perimeter devices.
The known exploited vulnerabilities (KEV) maintained by the US Cybersecurity and Infrastructure Security Agency (CISA) currently includes 219 CVEs — vulnerability identifiers —known to have been used in ransomware attacks.
That said, Rapid7’s MDR team concluded that 41% of ransomware incidents were the result of missing multi-factor authentication (MFA) on virtual desktop or enterprise VPN systems. As such, these attacks could have been easily avoided by enforcing one relatively simple additional authentication control.
Attackers go for simpler exploits
While most remote code execution vulnerabilities have historically been the result of memory corruption issues in software, there is a new trend that Rapid7 has observed in its dataset: Attackers are predominately choosing classes of vulnerabilities for which it’s easier to develop stable and reliable exploits.
Memory corruption flaws, for example, are hard to exploit due to the various anti-exploitation technologies added in software over the years at the operating system and application levels. Exploiting a memory corruption often requires chaining additional vulnerabilities that disclose memory locations or relying on various complicated techniques. Getting one exploit to work reliably across different versions of the same operating system is a challenge in itself as well.
Therefore, it’s not a huge surprise that 75% of the CVEs included in Rapid7’s dataset of widespread exploits over the past four years have been either caused by improper access controls — authentication bypasses, improper cryptographic implementations, and remotely accessible APIs — or injection issues such as server-side request forgery (SSRF), SQL injection, and command injection. Even deserialization flaws have been more prevalent than memory corruption ones.
Defense-in-depth recommendations
Having a solid vulnerability management program that ensures timely patching of critical and widely exploited vulnerabilities is essential, both in the cloud and on premises. But other controls can make a big difference, too. For example, implementing MFA for all systems and applications should be a top priority, as well as applying the principle of least privilege when creating accounts and roles.
Reducing the internet-exposed attack surface can make a big change. Companies should regularly review their internet-exposed devices, network appliances, applications, ports, and interfaces. Anything that can be walled off, should be walled off.
Ensuring an efficient backup strategy with multiple backup locations, both online and offline, onsite and offsite, can be very effective against ransomware attacks. Companies should also put measures in place to detect and prevent attempts to exfiltrate large quantities of data, which is one of the main extortion techniques used by ransomware groups.