Qualys Inc., a leading provider of cloud-based IT, security, and compliance solutions, released its 2023 TruRisk Research Report.
The report traverses the global number of vulnerabilities detected by Qualys in 2022 – upwards of 2.3 billion. The findings of the report match the opportunistic behavior of threat actors who continue to be agile in modifying techniques to achieve successful exploits.
The explosion of digital transformation in every business today is inevitable. Companies are increasingly competing by enhancing their customers’ digital experience. Similarly, global government organizations are significantly accelerating digital programs enabling citizens with e-governance, biometric identities and cardless payments to overcome financial exclusion.
This has led to staggering amounts of software being developed in the last few years and a surge in software vulnerabilities with many more to come. Combine this with the shortage of skilled cybersecurity professionals, and CISOs and security teams are left with the daunting challenge of keeping up with the sheer volume of information coming at them.
CISOs and security teams must continuously work to keep up with the fast pace of technological advancement and evolving cyber threats to reach their goal of reducing their organization’s risk.
The Qualys 2023 TruRisk Research Report discusses the five most exploited vulnerabilities of the calendar year 2022, and the five key ‘Risk Facts’ that security teams need to consider.
To compile the report, the Qualys Threat Research Unit analyzed more than 13 billion events to gain insight into the vulnerabilities found on devices, the security of web apps, and the misconfiguration of on-premise devices.
The most exploited vulnerabilities are CVE-2022-30190 (Follina); CVE-2022-26134 (Atlassian); CVE-2022-22954 (VMware); CVE-2022-1040 (Sophos Firewall); and CVE-2022-24521 (Windows). The first four all have a Qualys vulnerability score (QVS) of 100; the last scores are 95. All five have been used in ransomware attacks, and all five are included within CISA’s KEV list.
CVE-2022-30190, Follina, leverages Microsoft URL handlers ultimately allowing PowerShell commands to provide remote code execution. It is known to have been used by at least four named threat actors, including Fancy Bear, Wizard Spider, Luckycat, and UAC-0098. Qualys knows of six malwares that have used the vulnerability, including the Qakbot, Skeeyah, and Black Basta ransomwares. The patch rate for this vulnerability is relatively high at 91.21% taking an average of 28.4 days from the patch release – but this was from a total of 12.8 million worldwide detections, so the number of unpatched devices remains high.
CVE-2022-26134, Atlassian, unauthenticated remote code execution allows an attacker to execute arbitrary code on a Confluence Server or data center instance. It has been exploited by at least four malware families including Sparkling Goblin and the two ransomware groups Cerber and AvosLocker. Despite the ease of execution, its patch rate is low at 58.30% taking an average of 28.5 days.
CVE-2022-22954, VMware, is a remote code exploitation vulnerability that can be easily exploited by anyone with access to a vulnerable instance. It was one of five weaponized vulnerabilities discovered at the time; two of which were added to the KEV list, but only one (this one) was leveraged by threat actors and ransomware groups. Qualys specifically mentions the Rocket Kitten group, and the RAR1Ransom and Clop ransomware families. It has an 87.3% patch rate at an average of 14.3 days.
CVE-2022-1040i, Sophos, is a firewall authentication bypass vulnerability that allows unauthorized access to the firewall to execute arbitrary code. It has been used by the LuckyCat and DriftingCloud, threat groups and used by the Ragnarok ransomware family. It has a patch rate of just 34.7% taking an average of 70 days.
CVE-2022-24521, Windows, is a vulnerability affecting the CLFS driver. It allows privilege escalation and would be used in conjunction with other exploit techniques. Such vulnerabilities are typically used after an attacker has gained access to the vulnerable system to elevate privileges. It was detected in more than 14 million instances. CISA added it to the KEV list two days before the NVD published the CVE. It is known to have been used by UNC2596 and Vice Society, while other exploits have been observed from four malware families, including N13V/RedAlert, Cuba, and Yunluowang. It has a 90% patch rate at an average of 20.6 days.