Chris Swagler | March 1st, 2023

Numerous vulnerabilities used by ransomware operators in 2022 attacks were years old, allowing threat operators to develop persistence and move laterally to execute their missions. According to a new analysis, the vulnerabilities in products from Microsoft, Oracle, VMware, F5, SonicWall, and several other vendors pose a clear and present danger to companies that haven’t remedied them. The study is based on a data analysis from a threat intelligence team and from other cybersecurity companies. It provides an in-depth look at vulnerabilities that threat actors frequently used in ransomware attacks in 2022. Ransomware operators exploited 344 unique vulnerabilities in attacks last year, a 56% increase from 2021. A shocking 76% of the vulnerabilities were dated 2019 or earlier.

The oldest vulnerabilities in the group were three remote code execution (RCE) bugs in Oracle products from 2012: CVE-2012-1710 in Oracle Fusion middleware and CVE-2012-1723 and CVE-2012-4681 in the Java Runtime Environment. Even though data suggest that ransomware operators are using new vulnerabilities quicker than ever last year, many continued to depend on old vulnerabilities that remain unpatched on companies’ systems. Older vulnerabilities being exploited are byproducts of patches’ complexity and time consumption. Companies need to prioritize patches using a risk-based vulnerability management method to remediate vulnerabilities that pose the most risk to their organization.

Among the vulnerabilities identified as the most dangerous, there were 57 described as providing threat actors with the ability to complete their entire objective. These vulnerabilities allowed a threat operator to obtain initial access, persist, escalate privileges, evade defenses, access credentials, discover assets they might be looking for, move laterally, collect data, and complete the mission. The three Oracle bugs from 2012 were among 25 vulnerabilities from 2019 or older. Exploits against the three (CVE-2017-18362, CVE-2017-6884, and CVE-2020-36195) in ConnectWise, Zyxel, and QNAP products are not currently discovered by scanners. Several vulnerabilities that provided a complete exploit chain were caused by insufficient input validation. Path traversal issues, OS command injection, out-of-bounds write errors, and SQL injection.

Additionally, ransomware actors favored weaknesses that existed across numerous products. CVE-2018-3639, a type of speculative side-channel vulnerability revealed in 2018, was one of the most popular ransomware actors and exists in 345 products from 26 vendors. CVE-2021-4428, the infamous Log4Shell flaw, is another example that has at least six ransomware groups exploiting it. Recently, the flaw was discovered to be trending among threat actors in December 2022. It’s present in 176 products from 21 different vendors including Oracle, Red Hat, Apache, Novell, and Amazon.

CVE-2018-5391 in the Linux kernel and CVE-2020-1472, a serious elevation of privilege flaw in Microsoft Netlogon, are two other vulnerabilities that ransomware operators favored due to their widespread prevalence. The flaw has been utilized by at least ransomware groups, including Babuk, CryptoMix, Conti. DarkSide, and Ryuk, and it’s still popular among other ransomware groups. The security researchers discovered that 118 vulnerabilities were utilized in ransomware attacks last year were flaws that existed across numerous products. Threat actors are highly interested in vulnerabilities that most products have.

Last year, 131 of the 344 flaws used by ransomware threat operators are not listed in the Known Exploited Vulnerabilities (KEV) database maintained by the United States Cybersecurity and Infrastructure Security Agency. The database contains a list of software flaws that threat actors are actively exploiting and that CISA considers being extremely risky. CISA mandates that federal agencies resolve vulnerabilities identified in the database on a priority basis, usually within two weeks. The fact that these vulnerabilities aren’t listed in the CISA’s KEV is significant since numerous companies utilize the KEV to prioritize patches. It demonstrates that, even though KEV is a valuable resource, it doesn’t provide a complete picture of all the vulnerabilities used in ransomware attacks. Last year, 57 vulnerabilities were discovered being utilized by ransomware groups, including LockBit, Conti, and BlackCat and had low- and medium-severity scores in the national vulnerability database. The risk is that companies who score to prioritize patching may be lulled into a false of security.

With new and current ransomware groups looking to exploit older vulnerabilities, it’s important for companies to always remain ahead of the latest threat landscape and regularly update their network infrastructure to prevent future cyberattacks. At SpearTip, our team of certified engineers will examine companies’ security postures to improve the weak points in their networks. We engage with their people, processes, and technology to measure the maturity of the technical environments. For all the vulnerabilities our team uncovers, we will provide technical roadmaps ensuring companies have the awareness and support to optimize their overall cybersecurity posture. With our gap analysis, we discover blind spots in companies that can lead to compromises by comparing technology and internal personnel. We go beyond simple compliance frameworks and lead to critical recommendations by exposing vulnerabilities not only in software but companies’ people and processes.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.