As the second quarter of 2022 closes, it’s time again to report on the recent trends and highlights from a vulnerability perspective. Q2 has been dominated by the continuation of the Russia-Ukraine war, several high-profile security incidents resulting from vulnerability exploitation, and of course, a continuation of bad security practices. In this blog, we look at events and trends that emerged in Q2 2022.
Privilege Escalation vulnerabilities lead the way
Privilege escalation vulnerabilities were the most commonly observed exploited vulnerability in Q2 2022, representing 48% of incidents reported by Digital Shadows (now ReliaQuest) in this period. This was followed by weak authentication, remote code execution (RCE), and denial of service (DoS) vulnerabilities, which came in at 13% each. Privilege escalation flaws allow users higher levels of permission and access to systems or applications than administrators intended. They are valuable for attackers because they are often required for a range of malicious activity, but occasionally can be overlooked by defenders/developers because of their typically low severity scores.
If your vulnerability management program focuses on an outdated approach to fixing vulnerabilities triaged via CVSS, several of these exploitable vulnerabilities may be overlooked. Of course, you’ll remember our research report on vulnerability intelligence emphasized the need to move towards a risk-based approach in vulnerability management, i.e. fixing vulnerabilities across your organization by triaging on immediate risk.
Same old story: Log4Shell most discussed vulnerability
As we reported in our CVE blog for Q1 2022, the Log4Shell (CVE-2021-44228) flaw was the most discussed vulnerability across a wide range of sources, including tweets, pastes, blogs, webpages, internet relay chats, and GitHub. Recent reporting has highlighted that—unsurprisingly—threat actors have continued to target Log4Shell in large numbers. This includes targeting VMware Horizon® and Unified Access Gateway (UAG) servers, which were used to obtain initial access to organizations that did not apply available patches or workarounds.
Other vulnerabilities with high mentions this quarter include the ProxyLogon vulnerability (CVE-2021-26855), a 2021 RCE vulnerability affecting Microsoft HTML (MSHTML – CVE-2021-40444), and the BlueKeep Remote Desktop Protocol (RDP) vulnerability. Also surprisingly included was a 2010 vulnerability affecting SpringSource, an open-source framework for Java applications. This vulnerability became relevant in 2022 following the disclosure of the “Spring4Shell” vulnerability (CVE-2022-22965); we identified Spring4Shell in our last CVE quarterly. According to researchers, the Spring4Shell vulnerability bypasses the patch for CVE-2010-1622, which causes it to become exploitable. This case exemplifies the need for a risk-based approach to vulnerability management, that is flexible and capable of adapting to context and changes, rather than focussing on factors like a CVSS score or a vulnerabilities age.
Follina vulnerability features during the Russia-Ukraine war:
We’ve previously written at great length about the implications of the Russia-Ukraine war on the cyber battlespace. As you’d imagine, the risk from Russia-aligned threat groups has dramatically increased following the conflict, specifically from state-sponsored advanced persistent threat (APT) groups, cybercriminals, and hacktivists. One thing that may have taken us all by surprise was Russia’s use of offensive cyberattacks prior to and during the conflict; so far, Russia-linked destructive attacks have been either limited or perhaps ineffective in what they aimed to achieve. Of course, Russian actors will always be on the lookout for the latest vulnerability to provide access to a target system.
Russian threat actors exploited the “Follina” zero-day RCE (CVE-2022-30190) in Q2 2022, which affects the Microsoft Support Diagnostic Tool (MSDT). Attackers can exploit this bug to remotely execute PowerShell commands, which in turn, can lead to several attack methods. This makes the vulnerability highly useful to a variety of threat actors; groups known to target this bug so far include Russian APT groups “Sandworm” and “Fancy Bear”. To make matters worse, exploiting the vulnerability also does not require admin permissions and an attacker may even elevate user permissions using the exploit. Attacks can be carried out even if Office macros are disabled, and the vulnerability may be triggered simply by viewing the document in Windows Explorer. In short, it’s bad and will continue to get targeted, so get it patched as soon as possible.
What to expect in Q3 2022:
At the risk of teaching you all to suck eggs, vulnerability exploitation will continue as one of the primary avenues of entry into your network. The recent Data Breach Investigations Report (DBIR) from Verizon identified vulnerabilities as the 3rd most common access vector exploited by cyber threat actors, behind stolen credentials and phishing (you probably saw us reference this excellent report in our recent research report on Account Takeover). Getting a handle on your attack surface and reducing vulnerability exposure can be one of the best methods of minimizing the chances of a impactful incident.
As we’ve already mentioned, taking a risk-based approach is the best approach, which can only be achieved if you have the context of how risky a vulnerability actually is. Check out our solutions guide on Vulnerability Intelligence here, or schedule a demonstration of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) to assist in achieving this goal.