UPDATED 09:00 EST / DECEMBER 19 2023

SECURITY

Majority of 2023’s critical cyberattacks stemmed from fewer than 1% of vulnerabilities

A new report released today by cybersecurity software provider Qualys Inc. finds that in 2023, fewer than 1% of vulnerabilities contributed to the highest risks and were routinely exploited in the wild.

The 2023 Threat Landscape Year in Review report details key insights from the vulnerability threat landscape, the top vulnerability types and other related data, including mean time to exploitation, MITRE ATT&CK tactics and techniques, and the most active ransomware and threat actors in 2023.

The report also found that 97 high-risk vulnerabilities likely to be exploited were found to not be listed in the Cybersecurity and Infrastructure Security Agency’s Know Exploited Vulnerabilities catalog. A quarter of high-risk vulnerabilities were exploited on the same day they were published and a third of high vulnerabilities impacted network devices and web applications.

There were 26,447 vulnerabilities discovered in 2023, surpassing the number of vulnerabilities disclosed in 2023 by more than 1,500 and the highest number ever disclosed. Of the disclosed vulnerabilities, more than 7,000 had proof-of-concept exploit code that could potentially result in successful exploitation. But the exploit code was typically of lower quality, which may reduce the likelihood of a successful attack.

Some 206 vulnerabilities had weaponized exploit code available, meaning they were highly likely to compromise the target system if used. There were 115 vulnerabilities that were routinely exploited by threat actors, malware and ransomware groups such as Clop.

More than a third of the identified high-risk vulnerabilities identified could be exploited remotely. The five most prevalent types of vulnerabilities comprised over 70% of the total discovered.

The mean time to exploit high-risk vulnerabilities in 2023 came in at about 44 days. However, the report notes that in numerous instances, exploitation occurred almost instantaneously, with some vulnerabilities exploited on the very day they were published.

Exploiting vulnerabilities as they become known is said to represent a shift in the modus operandi of attackers, highlighting their growing efficiency and the ever-decreasing window for response by defenders. 25% of high-risk Common Vulnerabilities and Exposures were found to have been exploited on the day of their publication.

Key vulnerabilities exploited throughout the year include those targeted at PaperCut NG, MOVEit Transfer, various Windows operating systems, Google Chrome, Atlassian Confluence and Apache ActiveMQ. Many of the vulnerabilities were exploitable remotely, removing the need for physical access to targeted systems.

The top MITRE ATT&CK techniques and methods used in 2023 included exploitation of remote services known as 1210 & T0866, which occurred 72 times in enterprises and 24 times in industrial control systems, underlining the importance of securing remote service protocols. Next on the list, exploitation of public-facing applications, dubbed T1190 & T0819, was observed 53 times in enterprises and 19 times in ICS and exploitation for privilege escalation, designated T1068, came in third with 20 recorded instances.

The most active threat actor in 2023 was Clop, sometimes referred to as TA505 or CL0P. The group was behind high-profile cyberattacks that exploited zero-day vulnerabilities on platforms like GoAnywhere MFT, PaperCut, MOVEit and SysAid. On the ransomware side, Clop and LockBit were the leading hacking groups.

The report makes a number of security recommendations, noting that “it’s evident that the rapid pace of vulnerability weaponization and the diversity of threat actors pose significant challenges for organizations globally.” Recommendations include that business should adopt a multilayered approach by employing a variety of sensors to inventory public-facing applications and remote services for vulnerabilities. It’s also advised to prioritize remediation efforts based on factors such as inclusion in the CISA KEV list, high exploitation probability scores and the availability of weaponized exploit code.

Image: Bing Image Creator

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU