Updating systems and patching security vulnerabilities has always been a key part of the job for any IT or security professional, but a new report from cybersecurity giant Palo Alto Networks sheds new light on just how quickly threat actors are leveraging new vulnerabilities.
The Santa Clara, Calif.-based security software provider’s Unit 42 Incident Response Report, an analysis of more than 600 incident response cases conducted over the past year found that software vulnerabilities were the initial access vector in 31% of cases, with phishing attacks remaining the top vector at 37% of cases.
Popular vulnerabilities leveraged
In cases where software vulnerabilities were exploited, ProxyShell—a chain of three vulnerabilities in Microsoft Exchange Server—was the most common vulnerability exploited by attackers in cases analyzed by Unit 42. The three bugs making up the ProxyShell exploit, CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207, were responsible for 55% of cases where vulnerabilities were leveraged.
Meanwhile, Log4Shell, the critical remote code execution flaw found in the popular Java logging tool Log4j late last year, was leveraged in 14% of such cases. Palo Alto notes in its report that by February 2, its researchers saw nearly 126 million hits triggering the Threat Prevention signature meant to protect against the exploit. Although just 14%, Palo Alto notes that the bug was public for just a few months of the time period studied in the report.
Attackers quick to exploit new bugs
That quick action by threat actors was also detailed in the report, with the company reporting a rise in exploits of new vulnerabilities and a quicker time-to-exploit once a bug is published. According to Palo Alto Networks, exploitation can sometimes coincide with the disclosure.
One vulnerability discovered by the company had 2,552 hits just 10 hours after publishing due to vulnerability scanning and active exploitation attempts, according to the report.
However, attackers start scanning for vulnerabilities with 15 minutes of a CVE being published, which places more emphasis on the need to immediately apply critical security updates when they become available.
Ransomware payouts, most attacked industries
Other key trends covered in the report include new findings on ransomware. According to the report, the median dwell time ransomware attackers spend in an environment before being detected was 28 days. Ransom demands also continue to rise, hitting an average of nearly $1 million, and some reported payouts as high as $8 million.
The report also highlights the most attacked industries observed in cases Palo Alto Networks has worked, with finance, professional and legal services, manufacturing, healthcare, high tech, wholesale and retail making up 63% of the company’s cases.
Read the company’s report for more information.