Malicious actors used a variety of methods to gain initial access to victims’ networks but in 2022, cybercriminal groups appeared to focus on Remote Desktop Protocol and attacking cloud databases, according to cyber insurer Coalition. RDP is one of the most common ways that initial access brokers (IABs) and ransomware gangs gain access to victims’ networks and RDP is by far the most common remote-scanning by malicious actors. RDP scanning traffic was very high in 2022, with data collected from Coalition’s honeypots indicating RDP scans accounted for 37.67% of all detected scans. Whenever a new vulnerability is identified in RDP, scans soar as cybercriminals rush to identify targets that can be attacked.
Ransomware continues to be an enormous problem. In 2022, the gangs increasingly targeted cloud databases, especially Elasticsearch and MongoDB databases, a large number of which have been captured by ransomware gangs. The team identified 68,423 hacked MongoDB databases in 2022, and 22,846 Elasticsearch databases that had been ransomed.
The number of new software vulnerabilities has been growing steadily over the past 6 years. In 2022, more than 23,000 new common IT vulnerabilities and exposures (CVEs) were discovered, the highest number of any year to date. Coalition predicts this trend will continue in 2023 and expects more than 1,900 new CVEs to appear each month – a predicted increase of 13% from 2022. Each month Coalition expects an average of 270 high-severity vulnerabilities and 155 critical vulnerabilities to be disclosed and stressed that organizations need to remain vigilant and keep on top of patching and quickly close these security gaps.
With so many vulnerabilities now being reported, keeping on top of patching can be a major challenge. Given the huge number of vulnerabilities security teams need to address, patching is often slow, and that gives hackers a significant window of opportunity to exploit the flaws. Prompt patching is essential, as a majority of newly disclosed CVEs are exploited by cybercriminals within 30 days of the vulnerabilities being made public, with most exploited within 90 days. Exploitation can occur incredibly quickly. For instance, the Fortinet vulnerability, CVE-2022-40684, was exploited within 2 days of the announcement.
Malicious actors typically focus on exploiting a limited set of vulnerabilities. When they discover new vulnerabilities that can be exploited, they tend to stick with their tried and tested exploits and attack as many businesses as possible. While the goal of security teams should be to ensure all vulnerabilities are patched promptly, the huge number of reported vulnerabilities can make that an almost impossible task. The greatest gains can be made by prioritizing patching and ensuring the most commonly exploited vulnerabilities are patched first. The Cybersecurity and Infrastructure Security Agency (CISA) maintains a catalog of known exploited vulnerabilities, and each year publishes a list of the most commonly exploited flaws. All vulnerabilities on these lists should be prioritized and patched first.
Effective prioritization of patching can be a challenge as it is not always clear which vulnerabilities are most likely to be exploited. IT teams often assess vulnerabilities using the Exploit Prediction Scoring System (EPSS) and CVSS severity score, yet this information is not always available when vulnerabilities are first disclosed. Coalition has gotten around this problem by developing the Coalition Exploit Scoring System (CESS), which acts as a scoring system for vulnerabilities. The system uses deep learning models that can predict the CVSS score for a vulnerability based on its description, the likelihood of an exploit being developed quickly based on past exploit availability for CVEs, and the likelihood of exploit usage against Coalition policyholders by modeling past attacks.
“With so many vulnerabilities to address, systems often go unpatched for years, leaving huge swaths of the internet unprotected,” said Coalition in the report. “Leaders responsible for protecting network security need the most accurate and insightful information to act upon — and they need an effective way to prioritize which CVEs to respond to. We have attempted to provide that necessary context and the CVSS/CESS framework to help cybersecurity leaders and practitioners make informed decisions about their digital risk and react quickly to harmful vulnerabilities.”
The post RDP and Cloud Databases Most Common Targets of Threat Actors appeared first on HIPAA Journal.