Attackers are becoming faster at exploiting previously undisclosed zero-day flaws, according to Palo Alto Networks.
The company warns in its 2022 report covering 600 incident response (IR) cases that attackers typically start scanning for vulnerabilities within 15 minutes of one being announced.
Among this group are 2021’s most significant flaws, including the Exchange Server ProxyShell and ProxyLogon sets of flaws, the persistent Apache Log4j flaws aka Log4Shell, the SonicWall zero-day flaws, and Zoho ManageEngine ADSelfService Plus.
“Anytime a new vulnerability is publicized, our threat intelligence team observes widespread scanning for vulnerable systems,” the company says in its 2022 Incident Response Report.
Another major flaw that had attackers swiftly scanning the internet for affected devices was F5’s critical bug in its Big-IP software, which Cybersecurity and Infrastructure Security Agency (CISA) added to its growing Known Exploited Vulnerabilities Catalog in May. Palo Alto Networks saw 2,500 scans for it within 10 hours of it rolling out a signature for the flaw.
While phishing remains the biggest method for initial access, accounting for 37% of IR cases, software vulnerabilities accounted of 31%. Brute-force credential attacks (like password spraying) accounted for 9%, while smaller categories included previously compromised credentials (6%), insider threat (5%), social engineering (5%), and abuse of trusted relationships/tools (4%).
Over 87% of the flaws identified as the source of initial access fell into one of six vulnerability categories.
The most common initial access flaws were the Exchange Server ProxyShell flaws at 55% of cases it responded to. Microsoft raced out patches for ProxyShell and the related ProxyLogon flaws in early 2021, but they became the top target for several threat actors, including the Hive ransomware gang.
Log4j only made up 14% of Palo Alto’s cases, followed by SonicWall’s flaws (7%), ProxyLogon (5%), Zoho ManageEngine (4%), and FortiNet (3%). Other vulnerabilities made up the remaining 13%.
Looking just at IR cases involving ransomware, the firm found 22% were from the leak-prone Conti gang, followed by LockBit 2.0 (14%). The remaining ransomware gangs made up less than 10% of cases each and these included Hive, Dharma, PYSA, Phobos, ALPHV/BlackCat, REvil, and BlackMatter.
The company is predicting it will see more cases involving unskilled threat actors drawn to cybercrime by reports of lucrative ransomware and non-encryption extortion attacks coupled with global economic pressures.
Due to law enforcement success in tracing crypto wallets to their owners, and the instability of cryptocurrency, the company is also predicting a possible rise in business email compromise fraud, which is the $43 billion scam that gets overshadowed in public discussion by disruptive ransomware attacks.