The Log4J vulnerability (CVE-2021-44228) exploit remains one of the most attempted exploits even after three years observed by cloud security provider Cato Networks.
In the report published at RSA Conference 2024, the firm observed that the Log4J exploit represented 30% of the outbound vulnerability exploitations and 18% of the inbound vulnerability exploitations detected in Q1 2024.
Another old vulnerability exploit, CVE-2017-9841, which targets the PHPUnit testing framework, is the most common vulnerability found to be exploited. According to Cato’s stats, it comprised 33% of all vulnerability exploitations during the reported period.
Cato found that 62% of all web applications run on HTTP, a non-encrypted web protocol.
Once threat actors penetrate a network, they can often easily move laterally, as most organizations still run insecure protocols within their wide area networks (WAN).
About 54% of all WAN traffic runs on Telnet. This client/server application protocol provides access to virtual terminals of remote systems on local area networks or the internet. It is known for being vulnerable to network-based cyber-attacks.
Cato also observed that 46% of observed WAN traffic uses SMB1, which is not secure. Lateral movement was identified most frequently in the agriculture, real estate, and travel and tourism industries. Cato also found that threat actors tend to have preferred TTPs depending on which industry they primarily target.
The ‘Endpoint Denial of Service’ technique is particularly prominent in cyber-attacks targeting victims in the entertainment, telecommunication and mining & metals sectors.
In the services and hospitality sectors, however, threat actors tend to utilize the ‘Exploitation for Credential Access’ technique (T1212), as Cato observed this TTP used three times or more often in cyber-attacks targeting this industry than in others.
Cato analyzed 1.26tn network flows in the systems of Cato Networks’ 2200 customers for this report.