- Less than one percent of vulnerabilities contributed to the highest risk and were routinely exploited in the wild.
- 97 high-risk vulnerabilities, likely to be exploited, were not part of the CISA Known Exploited Vulnerabilities (KEV) catalog.
- 25 percent of these security vulnerabilities were immediately targeted for exploitation, with the exploit being published on the same day as the vulnerability was publicly disclosed.
- 1/3 of high-risk vulnerabilities impacted network devices and web applications.
- Exploitation of remote services, exploitation of public-facing applications, and exploitation for privilege escalation are the top three MITRE ATT&CK tactics
Qualys, Inc (NASDAQ: QLYS), has released new research from the Qualys Threat Research Unit (TRU), delving into some of the critical vulnerabilities in 2023 and their impact on organizations. 26,447 vulnerabilities were disclosed in 2023, eclipsing the total number of vulnerabilities disclosed in 2022 by over 1,500 CVEs.
“While this is alarming and continues the years-long trajectory of more vulnerabilities being found than the year before, it is important to note that not all vulnerabilities present a high risk; in fact, a small subset (less than 1%) contributes the highest risk. These particularly critical vulnerabilities are ones that have a weaponized exploit, are actively exploited by ransomware, threat actors, and malware, or have confirmed evidence of exploitation in the wild,” commented Saeed Abbasi, Product Manager – Threat Research Unit, Qualys.
The Qualys TRU analyzed the high-risk vulnerabilities to get more insights and discuss common trends. The TRU inspected which were most exploited, what attack methods and tactics were used, and what strategies can be used to fortify defenses against them. Some key takeaways from the research include:
Mean Time To Exploit Availability for High-Risk Vulnerabilities in 2023
The mean time to exploit vulnerabilities in 2023 stands at 44 days (about one-and-a-half months). However, this average masks the urgency of the situation. In numerous instances, vulnerabilities had exploit available on the very day they were published. This immediate action represents a shift in the modus operandi of attackers, highlighting their growing efficiency and the ever-decreasing window for response by defenders.
One-Third of High-Risk Vulnerabilities Found in Network Infrastructure & Web Applications
A substantial 32.5% of the 206 identified vulnerabilities reside within the networking infrastructure or web application domains — sectors traditionally difficult to safeguard through conventional means.
More Than 50 Percent of High-Risk Vulnerabilities Exploited by Threat Actors & Ransomware Groups
Of the 206 high-risk vulnerabilities Qualys tracked, more than 50 percent were leveraged by threat actors, ransomware, or malware to compromise systems. 115 were exploited by named threat actors; 20 were exploited by ransomware; and 15 were exploited by malware and botnets.
The vulnerabilities identified span an extensive set of systems and applications, including, but not limited to, PaperCut NG, MOVEit Transfer, various Windows operating systems, Google Chrome, Atlassian Confluence, and Apache ActiveMQ. This breadth showcases that no application is beyond the reach of attackers, who are determined to exploit any vulnerability to compromise systems. Notably, many of these vulnerabilities, such as those found in MOVEit Transfer, Windows SmartScreen, and Google Chrome, are exploitable remotely, obviating the need for physical access to the targeted system.
Most Active Threat Actors of 2023
In 2023, the cyber landscape was shaken by TA505, also known as the CL0P Ransomware Gang. This group masterminded a high-profile cyberattack by exploiting zero-day vulnerabilities, and they notably exploited zero-day vulnerabilities in key platforms like GoAnywhere MFT, PaperCut, MOVEit, and SysAid. Their sophisticated use of diverse malware types for information gathering and attack facilitation marked them as a significant threat. The severity of their actions prompted advisories from the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), highlighting the need for improved cybersecurity measures.
Most Active Malware of 2023
In 2023, LockBit and Clop were prominent in the ransomware arena. LockBit, using its advanced ransomware-as-a-service model, targeted a range of organizations, including in the IT and finance sectors. Clop, known for exploiting vulnerabilities, conducted extensive attacks on large enterprises, notably in the finance, IT, and healthcare sectors.
“It is evident that the rapid pace of vulnerability weaponization and the diversity of threat actors pose significant challenges for organizations globally. To accurately assess the genuine risk presented by open vulnerabilities within their organization, it’s essential that businesses employ a comprehensive set of sensors, ranging from agent to network scanners to external scanners. In addition, it is imperative to thoroughly inventory all public-facing applications and remote services to ensure they are not vulnerable to high-risk vulnerabilities. And finally, I’d advise organizations to employ a multifaceted approach to the prioritization of vulnerabilities — focus on those known to be exploited in the wild (start with the CISA KEV), those with a high likelihood of exploitation (indicated by a high EPSS score), and those with weaponized exploit code available,” added Abbasi.
“These recommendations will help reinforce the critical need for a robust, proactive approach to vulnerability and risk management, especially in an increasingly sophisticated and pervasive era of cyber threats.”
The Qualys Enterprise TruRisk Platform helps customers holistically measure, effectively communicate, and proactively eliminate cyber risk, with a focus on the impact of cyber risk on business risk.