In this blog, CSW experts analyzed CISA’s Known Exploited Vulnerabilities (KEV) list for latencies in publishing, exploiting, and patching to understand how fast attackers are weaponizing them for attacks.
On November 3, 2021, CISA released a directive of Known Exploited Vulnerabilities (KEVs) and advised organizations to address them within stipulated deadlines. This was followed by regular additions to the vulnerabilities list that stands at 787 KEVs today. Our researchers found that 647 vulnerabilities out of 787 are trending in the wild with high internet and dark web chatter which is a clarion call for organizations to patch them immediately – well before the deadline.
Latencies in publishing vulnerabilities and releasing patches are enabling attackers to launch crippling and devastating supply chain attacks on critical entities. In recent times, the trend of exploitation of zero-day vulnerabilities even before NVD disclosure has picked up momentum, as called out by our research in ransomware.
In this blog, we analyze the latencies and strive to find answers to the following question-
“Are latencies in identifying, publishing, and releasing patches for vulnerabilities providing further impetus to foraging cyber attackers?”
Latencies in Vulnerabilities
Our research points to three types of latencies in vulnerabilities that can prove costly to organizations. And unfortunately, all three apply to the CISA KEVs –
-
NVD disclosure latency – The average time taken for the NVD to publish the vulnerabilities in their database
-
Exploit latency – The average time taken for the weaponization of the vulnerabilities
-
Patch latency – The average time taken for the patch to be released by the vendor.
Our research shows that attackers typically go after all vulnerabilities irrespective of their patching status.
|
Overall |
Critical |
High |
Medium |
Low |
|
|---|---|---|---|---|---|
|
Exploit before patch |
86 |
44 |
36 |
6 |
– |
|
Same day |
53 |
29 |
23 |
1 |
– |
|
Exploit after patch |
175 |
80 |
82 |
13 |
– |
With the recent update, our analysis shows that around 11% of the vulnerabilities were exploited even before the vendor could release a patch which also ties in with our research on Zero Day vulnerabilities exploited before they made it to the NVD.
Around 23% of the vulnerabilities were weaponized and exploited after the patch was released – which spotlights the lack of cyber hygiene.
What jumps out of this analysis is the fact that attackers are weaponizing vulnerabilities at speeds thus far not seen and this means vendors need to react within minimum response times to stay ahead of attackers.
CVE-2021-0920 has the largest patch latency, having been exploited for almost two and a half years before a patch was released by its vendor.
CVEs exploited before a patch
|
Year |
Average of Exploit latency |
|---|---|
|
2004 |
3 |
|
2006 |
1191 |
|
2007 |
1 |
|
2009 |
195.6666667 |
|
2010 |
23.66666667 |
|
2011 |
8.5 |
|
2012 |
211 |
|
2013 |
82.55555556 |
|
2014 |
104.7142857 |
|
2015 |
37.33333333 |
|
2016 |
63.58823529 |
|
2017 |
81.44444444 |
|
2018 |
86.85714286 |
|
2019 |
93.2972973 |
|
2020 |
85.84 |
|
2021 |
73.76470588 |
|
2022 |
2 |
CVE-2006-2492 has the largest exploit latency, exploited 3 years 3 months after the vulnerability was patched by its vendor.
CVEs that were patched before an exploit
|
Year |
Average of Exploit latency |
|---|---|
|
2004 |
3 |
|
2006 |
1191 |
|
2007 |
1 |
|
2009 |
195.6666667 |
|
2010 |
23.66666667 |
|
2011 |
8.5 |
|
2012 |
211 |
|
2013 |
82.55555556 |
|
2014 |
104.7142857 |
|
2015 |
37.33333333 |
|
2016 |
63.58823529 |
|
2017 |
81.44444444 |
|
2018 |
86.85714286 |
|
2019 |
93.2972973 |
|
2020 |
85.84 |
|
2021 |
73.76470588 |
|
2022 |
2 |
An unpatched vulnerability is a perpetual threat to organizations, irrespective of whether it is patched. The sheer volume of patches that security teams need to apply needs AI-based solutions to prioritize patching cadence based on accurate threat context.
Zero-day vulnerabilities – NVD disclosure latency and patch latency
Our Ransomware Spotlight Report published in January 2022 highlighted the trend of ransomware groups going after zero-day vulnerabilities. All the four vulnerabilities identified now feature as part of the CISA KEVs. Incidentally, all four vulnerabilities indicate a case of both NVD disclosure latency and patch latency.
CSW first warned of these vulnerabilities in 2021 Ransomware Index Reports released in August and October 2021.
The zero-day vulnerabilities — CVE-2021-28799, CVE-2921-44228, CVE-2021-30116, and CVE-2021-20016 — started seeing exploitation by attackers before their vendors could release a patch and, in some cases, even before the vendors themselves were aware of the flaw.
QNAP: CVE-2021-28799
A vulnerability in QNAP NAS devices came to the limelight in 2021 when attackers exploited a then unknown vulnerability in Hybrid Backup Sync applications. The Qlocker ransomware soon after developed their exploit for the zero-day vulnerability that was patched 9 days after details of the first ransomware exploit were made public, and was added to the NVD 11 days after. The QNAP vulnerability is a classic example of how threat actors are scouting after weaknesses in code, taking complete advantage of patch and NVD disclosure latencies.
A snippet from from CSW’s Ransomware Report 2022
Apache Log4j: CVE-2021-44228
A series of vulnerabilities in the Apache Log4j logging library shook the security world in late December 2021, and the impact is still being felt today. CVE-2021-44228 was completely patched only 21 days after the vulnerability was disclosed publicly, which gave attackers enough window to jump on the wagon and compromise a series of products using the Apache library. The incident also highlighted the importance of a complete fix to vulnerabilities, with many earlier patches overridden due to lapses and misconfigurations, even as attack incidents unfolded.
A snippet from from CSW’s Ransomware Report 2022
Kaseya: CVE-2021-30116
The Kaseya supply chain incident in July 2021 resulted in a massive impact with a series of third-party attack onslaughts. The REvil ransomware group compromised Kaseya VSA servers even as the team was working on patches for three newly identified vulnerabilities. This small gap in patch latency was sufficient for the group to wage a crippling attack
A snippet from from CSW’s Ransomware Report 2022
Sonicwall SMA: CVE-2021-20016: Unidentified vulnerability
At the start of the year 2021, a new ransomware group, FiveHands, quietly capitalized on a then-unknown vulnerability, CVE-2021-20016. The events brought the vulnerability to the notice of its vendor, who released a patch 11 days later, by which time the CVE was weaponized and used to stealthily infiltrate organizational networks. Our research also attributes this vulnerability to the infamous DarkSide group.
A snippet from from CSW’s Ransomware Report 2022
Three of the vulnerabilities — CVE-2021-28799, CVE-2021-20016 and CVE-2021-30116 — were warned about by CSW much before they were added to the CISA KEVs!
Organizations that consider only the NVD as their single source of truth are at huge risk. While the NVD plays a crucial role as a repository of vulnerabilities, a multi-layered approach is needed to give this base data an accurate threat context. Furthermore, vendors must act fast and address identified vulnerabilities immediately, while also ensuring that their end-users are notified to prioritize their remediation efforts.
CSW’s vulnerability intelligence database offers organizations timely warnings and the most comprehensive insights into vulnerabilities and the threats associated with them.
Exploit Latency
We looked at year-wise distribution of vulnerabilities and their average exploit times with respect to when they were published in the NVD. We can observe that the vulnerabilities warned as highly exploited by CISA belong more to recent years. Most importantly, the speed at which vulnerabilities are being exploited has decreased drastically on average, even after the release of a patch, with attackers exploiting vulnerabilities within days after being added to the NVD. This, again, is a warning to organizations to implement patches without delay.
|
Year |
Average of Exploit latency |
Count of CVE |
|---|---|---|
|
2002 |
-70 |
1 |
|
2004 |
3 |
1 |
|
2006 |
1191 |
1 |
|
2007 |
-4 |
2 |
|
2008 |
-124 |
1 |
|
2009 |
70.71428571 |
7 |
|
2010 |
-29.36363636 |
11 |
|
2011 |
2.5 |
4 |
|
2012 |
58.7 |
10 |
|
2013 |
20.95 |
20 |
|
2014 |
-18.875 |
16 |
|
2015 |
-13.8 |
20 |
|
2016 |
12.625 |
24 |
|
2017 |
30.84848485 |
33 |
|
2018 |
52.32258065 |
31 |
|
2019 |
60.47169811 |
53 |
|
2020 |
42.64285714 |
42 |
|
2021 |
3.027777778 |
36 |
|
2022 |
2 |
1 |
|
Here are some prominent instances where unpatched vulnerabilities were exploited by hackers.
|
Our continued vulnerability research identified around 70% of the CISA warned vulnerabilities as being a threat even before they were added to the KEV list. For 66% of the vulnerabilities, our research predicted the highest chances of exploitability even before the first set of KEVs were released by CISA.
The most recent rage, the Spring4Shell vulnerability, was warned about by CSW five days before it was added to the CISA KEVs list.
The zero-click vulnerability in Microsoft Word, Follina, was flagged as dangerous by CSW 11 days before CISA.
Stay tuned to our blogs to stay on top of trending threats.
If these warnings were heeded, security teams had ample time to analyze, prioritize and deploy patches before falling victim to a breach!
What this shows is that the right research can forewarn organizations of most of the dangers from vulnerabilities well in advance!
Top Priority – Reducing Latency Gaps
Today’s digital dynamic demands responsible cyber security practices from all parties involved – the vendor, the organization, and all third parties offering services. The lesser the latency, the smaller the window of risk and thus, the safer the network. In order to reduce latencies, organizations must act quickly, keeping their systems up-to-date with vendor advisories, software updates, and released patches.
Most importantly, security teams must handle vulnerabilities with a 360-degree view to understand their impact, ingesting data from authentic sources that consider the NVD, along with trending and threat factors. A continuous and all-encompassing risk assessment that is adapted to changing times, with regular adoption of its recommendations, can help organizations stay ahead of latencies.
CSW can help organizations stay forewarned and manage the vulnerabilities in their network, discover the exposures in their attack surfaces, and provide intelligence and prediction about vulnerability threats and the associated impact.
Not sure whether your organization is affected by the CISA KEVs?
Sign up for a CISA vulnerability analysis.