Race Against Time: Hackers Start Hunting Victims Just 15 Minutes After Bug Revealed
Attackers are increasingly exploiting previously undisclosed zero-day flaws, according to Palo Alto Networks.
The company warns in its 2022 report covering 600 incident response (IR) cases that attackers typically begin scanning for vulnerabilities within 15 minutes of being announced.
Among this group are the most prominent flaws of 2021, including Exchange Server ProxyShell and ProxyLogon sets of flaws, Apache Log4j aka Log4Shell persistent flaws, SonicWall zero-day flaws, and Zoho ManageEngine ADSelfService Plus.
“Whenever a new vulnerability is made public, our threat intelligence team observes widespread scanning of vulnerable systems,” the company says in its 2022 Incident Response Report.
SEE: These are tomorrow’s cybersecurity threats you should be thinking about today
Another major flaw that caused attackers to rapidly scan the internet for affected devices was F5’s critical bug in its Big-IP software, which the Cybersecurity and Infrastructure Security Agency (CISA) added to its growing catalog of vulnerabilities. exploited known in May. Palo Alto Networks saw 2,500 scans within 10 hours of deploying a signature for the flaw.
While phishing remained the top method of initial access, accounting for 37% of RI cases, software vulnerabilities accounted for 31%. Brute-force credential attacks (such as password spraying) accounted for 9%, while smaller categories included previously compromised credentials (6%), insider threats (5%) , social engineering (5%) and abuse of trusted relationships/tools (4%). %).
More than 87% of the vulnerabilities identified as a source of initial access fell into one of six vulnerability categories.
The most common initial access flaws were Exchange Server ProxyShell flaws in 55% of the cases they responded to. Microsoft rolled out patches for ProxyShell and related ProxyLogon flaws in early 2021, but they became a primary target for several threat actors, including the Hive ransomware gang.
Log4j accounted for only 14% of Palo Alto’s cases, followed by SonicWall (7%), ProxyLogon (5%), Zoho ManageEngine (4%), and FortiNet (3%) flaws. Other vulnerabilities accounted for the remaining 13%.
SEE: Best cybersecurity schools and programs
Looking only at IR cases involving ransomware, the company found that 22% belonged to the leak-prone Conti gang, followed by LockBit 2.0 (14%). The remaining ransomware gangs each accounted for less than 10% of cases and included Hive, Dharma, PYSA, Phobos, ALPHV/BlackCat, REvil, and BlackMatter.
The company predicts that it will see more cases involving unskilled threat actors lured into cybercrime by reports of lucrative ransomware attacks and encryption-less extortion coupled with global economic pressures.
Due to the success of law enforcement in tracing crypto wallets to their owners and the instability of the cryptocurrency, the company also foresees a possible increase in business email compromise fraud, which is the $43 billion scam that is eclipsed in public debate by disruptive ransomware attacks.