Go to listing page

Threat Actors Weaponize Old Bugs to Launch Ransomware Attacks

Threat Actors Weaponize Old Bugs to Launch Ransomware Attacks
Ransomware operators are relying on unpatched systems more than ever to gain initial access to victims’ networks. A new report reveals that the attackers are actively searching the internet and dark web for old and known vulnerabilities that can be leveraged for ransomware attacks. Many of these flaws are years old and pose a risk for organizations that have not yet patched or updated their vulnerable systems.

Top observation from the report

The joint report from Cyware, Cyber Security Works (CSW), Ivanti, and Securin revealed that ransomware operators exploited a total of 344 unique vulnerabilities in attacks last year. 
  • Out of these 344 vulnerabilities, 56 were identified for the first time - marking a 19% increase year-over-year.
  • In the last quarter, around 21 of these vulnerabilities were exploited in different ransomware attacks.
  • Most of these vulnerabilities enabled an attacker to gain initial access, achieve persistence, escalate privileges, evade defense, access credentials, move laterally, and execute the final mission.

Old flaws are the biggest threat

Around 76% of 344 vulnerabilities exploited were from 2019 or before.
  • Three of these flaws were from 2012 and affected different products from Oracle. They were tracked CVE-2012-1710, CVE-2012-1723, and CVE-2012-4681.
  • Other affected products include those from ConnectWise, Zyxel, and QNAP.
  • The infamous Log4Shell flaw (CVE-2021-4428) was also found to be exploited by at least six ransomware groups. According to the report, the flaw continued to be popular among threat actors until as recently as December 2022. 
  • The Log4Shell flaw affects around 176 products from 21 vendors, including Oracle, Red Hat, Apache, Novell, and Amazon.

Other key observations

CSW observed that more than 50 APT groups have been deploying ransomware to launch attacks, a 51% increase from 33 in 2020. 
  • DEV-023, DEV-0504, DEV-0832, and DEV-0950 groups were associated with multiple ransomware attacks in Q4 2022, which crippled organizations worldwide. 
  • Around 57 vulnerabilities targeted by groups such as LockBit, Conti, and BlackCat had low- and medium-severity scores on the CVSS scale. 

Final note

Software weaknesses persist across organizations and it is very necessary for security teams to scrutinize, identify, and remediate vulnerabilities before their organizations become the next target of ransomware attacks. It is imperative that organizations understand their attack surface and provide layered security to ensure resilience in the face of increasing attacks.
Cyware Publisher