Qualys has published its 2024 Midyear Threat Landscape Review. It says the number of CVEs reported year-on-year has surged by 30%, which is significant and adds to the pressure on IT Security teams.

There has also been an increase in the number of CVEs, new and old, that have been weaponised. The weaponisation rate of new CVEs is just under 1%. However, the number of older CVEs that have been weaponised is 10%. It shows that delaying patches leads to increased risk and gives attackers more time to craft their attacks.

What can we tell from the CVE numbers?

The numbers in this report show how fast things are changing. From January to mid-July 2024, the number of CVEs rose from 17,114 in 2023 to 22,254 in 2024. Comparing that to previous years shows that the number has increased by 24% in 2022, 20% in 2023 and 30% in 2024.

Qualys offers no comment on the cause of this increase in CVEs. Is it poorer coding standards from software providers both commercial and open source? That is hard to quantify because there are no numbers to compare the volume of software releases to the number of vulnerabilities.

A more likely reason is that security researchers are conducting more rigorous testing and investigation. The rise in bug bounty programmes has had a positive effect on creating a third-party test industry. Vendors are also doing more to test their software through better software development lifecycle (SDL) processes.

What do the exploit numbers tell us?

204 new CVEs were weaponised from January to mid-July 2024. While this represents an exploit rate of just 0.91%, Qualys comments that “the impact and severity of these weaponized vulnerabilities are disproportionately high.”

Qualys says it has also seen that several of the weaponised vulnerabilities are associated with multiple threat actors. What it hasn’t provided is a more detailed examination of that statement. Are these multiple actors affiliated with each other? Are the exploits being rented to others to do the actual attack, with the exploiter getting a fee?

It has said that “four are linked to ransomware campaigns, emphasizing ransomware’s continued prominence as a method for cyber extortion and posing a substantial risk to cybersecurity.”

Of serious concern is that the attackers are picking off the vulnerabilities with the highest risk. 62.6% of vulnerabilities rank 95/100 or above on the Qualys Vulnerability Score (QVS). It should be noted that the QVS is part of a wider assessment of risk by Qualys that a vulnerability poses.

From a wider perspective, the number of older CVEs (discovered before 2024) being exploited has also increased. The report puts that number at 10%, up slightly on the same period last year. It shows that the risk posed by a vulnerability does not decline over time.

The report states that some of the vulnerabilities have been available on the dark web for months. It gives the example of CVE-2023-43208 NextGen Mirth Connect Java XStream (Qualys Vulnerability Score 95/100), which is used in healthcare systems.

Areas that require focused security measures

The MITRE ATT&CK Framework was used by the report team to take a closer look at several of the CVEs. It discovered that there are two areas that are being targeted and which need more focused security measures:

Initial Access via Public-Facing Applications: Exploiting public-facing applications (T1190) is a primary vector for initial access, with nearly half of the CVEs involving vulnerabilities in these applications. This highlights the critical need for assessing and securing external-facing components to mitigate risks.

Lateral Movement through Remote Services: There is a notable trend of lateral movement utilizing remote services (T1210). This prevalent attack methodology indicates that attackers often exploit vulnerabilities to navigate through the network once entry is secured.

Neither of these should surprise IT Security teams. Most organisations have been tightening their defences against external attacks since workers began working from home.

Organisations have increased their use of VPNs to reduce the risk of attack. However, cybercriminals have prioritised exploits against VPNs. The latest has been the zero-day exploit against Palo Alto Global Protect. Not only do the attackers get inside through a trusted connection, but they then use that to exfiltrate data, knowing it is less likely to be scanned.

That also plays into the second area above. Once inside, many organisations have weak internal controls, which makes lateral movement hard to detect and block.

Enterprise Times: What does this mean?

The rise in vulnerabilities is stretching IT’s ability to patch and remediate. Rushing to apply every patch without testing brings significant risk, as the autopatch incident with CrowdStrike showed. However, the rise in zero-day exploits doesn’t provide organisations with breathing room.

To deal with this, organisations need to do a risk assessment of vulnerabilities and any announced exploits. This means changing how they patch and remediate security alerts to ensure critical systems are patched immediately and other vulnerable systems soon after. Importantly, as the amount of open source and use of APIs continues to increase, any solution must include those as well.

The big message from this assessment is that there is no let-up for defenders in sight.

LEAVE A REPLY

Please enter your comment!
Please enter your name here