Attackers while looks into few of the luring application vulnerability targets, they wont wait long to exploit the environment. Researchers from Unit 42 analyzed and released Incident Response Report.
Six CVE categories accounted for more than 87% of vulnerabilities being exploited:
- ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207),
- Log4j, ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)
- SonicWall products
- Fortinet products
- Zoho ManageEngine ADSelfService Plus (CVE-2021-40539).
In 55% of incidents, the attackers had targeted ProxyShell. Just 14% of those cases involved Log4j. Unit 42 researchers analyzed data from a sampling of over 600 incident response engagements between April 2021 and May 2022 for the report.
Attackers continue to rely on older, unpatched vulnerabilities, and new vulnerabilities as well. Scanning for vulnerabilities is not a difficult task, so attackers begin scanning for systems with a newly disclosed vulnerability as soon as they learn about them.
The 2021 Attack Surface Management Threat Report found that attackers typically start scanning for vulnerabilities within 15 minutes of a CVE being announced. It can practically coincide with the reveal if the vulnerabilities themselves and the access that can be achieved by exploiting them are significant enough.
In one instance, researchers detected scanning and exploitation attempts targeting the authentication bypass vulnerability in F5 BIG-IP appliances (CVE-2022-1388) 2,552 times within 10 hours.
Exploiting software vulnerabilities was the second most common attack method. The top access vector was phishing. Brute-force credential attacks, primarily targeting RDP rounded out the top three. These three attack vectors made up more than three-quarters of incidents (77%) analyzed in the incident response report.
Most of the vulnerabilities are been covered in thecyberthrone 2021 top most exploited Vulnerabilities