The curtain has fallen on the third quarter (Q3) of 2022, and it’s time to report the trends and highlights gleaned from Digital Shadows (now ReliaQuest)’ vulnerability intelligence. Q3 was characterized by dozens of zero-day vulnerabilities, including the continued exploitation of the high-profile Follina vulnerability (CVE-2022-30190) that debuted in the second quarter of 2022. For more on this, check out our blog Q2 Vulnerability Roundup. But, back to this blog for now, where we’re going to discuss events and trends that materialized in Q3 2022.

Remote Code Execution Vulnerabilities Back On Top

Remote code execution (RCE) vulnerabilities were the most commonly observed exploited vulnerability in Q3 2022, representing 48 percent of incidents reported by Digital Shadows (now ReliaQuest). Local privilege escalation (LPE), denial of service (DoS), and SQL injection vulnerabilities followed with 31 percent collectively. RCE flaws enable attackers to remotely execute malicious code on a system and are attractive to opportunistic threat actors who can exploit them to gain initial access to enterprise environments.  

RCE vulnerabilities tend to be categorized as critical with high CVSS scores, so typically attract more attention than other types of vulnerabilities that have lower severity scores. There’s an added amount of pressure to patch critical vulnerabilities and it can quickly become overwhelming for vulnerability and patch management teams. Vulnerability intelligence can provide organizations with valuable context beyond CVSS scores to help determine more accurate severity. With this information, you can make timely, threat-informed decisions during the vulnerability management process.   

Figure 1: Q3 exploited vulnerabilities by type

Oldie Office Bug Dominates Discussions

Q3 revealed that new vulnerabilities are not always the most talked-about vulnerabilities. It takes time to research and create exploits for newer vulnerabilities, whereas older ones have a higher chance of established exploits being available. Older vulnerabilities are also more likely to be embedded in penetration-testing tools. A flaw found in Microsoft Office 2007 (tracked as CVE-2017-11882) was the most discussed vulnerability in Q3 across a wide range of sources, including tweets, pastes, blogs, webpages, Internet Relay Chats (IRC), and GitHub. 

Figure 2: References to CVEs across select sources, Q3 2022

CVE-2017-11882 caught the attention of researchers at Fortinet in a recent report series where they identified a malicious Microsoft Excel spreadsheet that was distributing several pieces of malware, including the information-stealing malware “Formbook” and “Redline”. There’s a patch available for CVE-2017-11882, but enterprise environments are very heterogeneous with their own dependencies, which means many vulnerabilities remain unpatched. This is why cybercriminals are able to exploit flaws for years after a patch is released. 

The Follina vulnerability was not far behind in terms of references this quarter, as well as a high-severity zero-day vulnerability in Google Chrome, tracked as CVE-2022-2294. This is a heap-based buffer-overflow flaw in the Web Real-Time Communications (WebRTC) component of the Google Chrome browser. A heap-based buffer overflow occurs when the buffer that can be overwritten is allocated in the heap portion of memory. 

Although the issue was addressed in a patch released on 04 Jul 2022, the vulnerability was reportedly used in a campaign against several journalists in the Middle East. The flaw was exploited to deploy the “DevilsTongue” spyware, developed by the controversial Tel Aviv-based technology company Candiru. The Chrome exploit was chained together with a sandbox escape exploit within the campaign.  

Yet Another MS Exchange Flaw: PROXYNOTSHELL

On 30 Sep 2022, Microsoft published a blog analyzing attacks using two Microsoft Exchange vulnerabilities, tracked as CVE-2022-41082 and CVE-2022-41040. In the blog, Microsoft reported that it had observed a limited number of targeted attacks leveraging the two vulnerabilities, dubbed ProxyNotShell. 

In August 2022, an unknown threat group utilized the two Microsoft Exchange vulnerabilities after gaining initial access. In these attacks, the threat actor installed the “Chopper” web-shell for hands-on keyboard access, using this access to perform Active Directory (AD) reconnaissance and exfiltrate data. Microsoft assessed with medium confidence that the attackers were state sponsored.

On 11 Oct 2022, researchers reported that the ProxyNotShell vulnerabilities had been exploited in attacks in order to distribute the “LockBit” ransomware. This activity took place in the fourth quarter and—as with most high-profile zero days—is an example of how quickly other cybercriminals began deploying opportunistic cyber attacks exploiting the flaws. Active since at least September 2019, the LockBit gang has been the most active ransomware group in 2022 to date, across multiple regions and sectors. At the time of writing, LockBit has named over 700 victims on its data-leak site in 2022 alone. To learn more about the ransomware trends in Q3 2022, check out our recent Ransomware in Q3 2022 blog. 

What To Expect In Q4 2022

Vulnerability exploitation—particularly on Internet-facing infrastructure—will likely remain a favorite initial access point for cybercriminals. In our recent advanced persistent threat (APT) Spotlight Series blog, we discuss how the cyber-espionage group “APT41” gained access to six state networks by exploiting vulnerabilities. Vulnerability intelligence can have a real business impact: it can protect you from a major breach by patching the most critical weakness first. Check out our solutions guide on vulnerability intelligence here, or schedule a demonstration of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) to see it in action…