While 2021 was welcomed with the news of active, large-scale exploitation of CVE-2020-10148, a vulnerability in SolarWinds Orion IT Management software that brought to prominence a new class of attacks called “Supply Chain” attacks, the year 2022 was welcomed by the Log4J vulnerability CVE-2021-44228 disclosed in late 2021. The ubiquitous nature of the Log4j library made this vulnerability critical and one of the most actively exploited vulnerabilities in 2022. Here, we shall review some of the most critical vulnerabilities in a variety of software that were used to breach companies. We shall also take a glance at the types of industries affected, some of the top incidents, and the average cost of a breach of the types discussed in the upcoming section.
2022 Security Breach Statistics
It has been reported *that the global average cost of a security breach was around 4.3 million dollars in 2022. This amount accounted for lost business due to the breach, incident response, data recovery, upgrades, and down time. The average cost of recovering from a ransomware attack in 2022 was 4.5 million dollars. The healthcare industry has remained the most affected sector and is a frequent target of ransomware attacks.
An interesting statistic from 2022 ** shows that 50% of the zero-day attacks that took place in 2022 were offshoots of inadequate bug fixes that went into previously reported zero days. The most affected sectors were the healthcare industry, the financial sector, the automotive industry, the educational sector, and SaaS providers.
With the advent of new security technologies like EDR, NDR, XDR, etc., with Artificial Intelligence incorporated into them to enable learning attacker and malware behavior, the average time for a breach or a new malware infection remaining undetected is close to a month. In some cases, the breach went unnoticed for several months.***
Let us now have a look at the top 10 vulnerabilities exploited in 2022—
- Log4Shell (CVE-2021-44228) : The discovery of Log4Shell, a vulnerability found in the logging feature of Apache Tomcat server software, occurred in 2021. Exploiting this vulnerability involved sending a customized request, which gave unauthorized parties the ability to execute any code on the server. The security vulnerability was resolved in a subsequent release of Tomcat. To know more, click here.
- F5 BIG-IP (CVE-2022-1388) :In 2022, it was found that F5 BIG-IP, a network equipment used for load balancing and other functions, had a vulnerability that permitted hackers to run arbitrary code on the device. This was achievable through a special request sent by the attacker. The vulnerability was patched in a subsequent version of the device’s software. To know more, click here.
- Atlassian Confluence RCE Flaw (CVE-2022-26134): This vulnerability was discovered in the Atlassian Confluence collaboration platform. It allowed attackers to execute arbitrary code on the server by sending a malicious request. The vulnerability was resolved in a later version of Confluence. To know more, click here.
- Microsoft Vulnerability “Zerologon” (CVE-2020-1472): The vulnerability dubbed “Zerologon” was present in the Netlogon protocol and was caused by a weakness in the implementation of the Netlogon protocol encryption, particularly AES-CFB8. The flaw allowed attackers to exploit the vulnerability by sending a sequence of zeros to the Netlogon protocol. Microsoft provided a solution to address this vulnerability by offering guidance on how to manage changes to the Netlogon secure channel connections associated with the vulnerability. To know more, click here.
- Spring4Shell (CVE-2022-22965): Spring4Shell is a security flaw found in the widely-used Java-based web application framework called Spring framework. In 2022, it was discovered that attackers could run any code on the server by sending a malicious request, using this vulnerability. The vulnerability was resolved by a later release of the Spring framework, which included a fix for the same. To know more, click here.
- VMware Workspace ONE Access (CVE-2022-22954): VMware released VMSA-2022-0011 on April 6, 2022. The report contains information about various security vulnerabilities, the most dangerous of which is CVE-2022-22954. This critical vulnerability enables remote code execution and affects VMware’s Workspace ONE Access and Identity Manager software. The issue stems from a server-side template injection flaw. To know more, click here.
- Zimbra Collaboration Suite Bugs (CVE-2022-41352): The security flaw was detected in the widely-used Zimbra Collaboration Suite, which provides email, calendar, and other collaborative services. This vulnerability made it possible for attackers to execute arbitrary code on the server through a malicious request. The vulnerability was fixed in a subsequent edition of Zimbra. To know more, click here.’
- Zyxel RCE Vulnerability (CVE-2022-30525): This vulnerability affects Zyxel network devices and enables attackers to execute arbitrary code on the affected system, potentially giving them access to control the system or steal confidential data. The vulnerability was discovered and patched in 2022, but it is still possible for systems that have not been updated to be at risk. To know more, click here.
- Proxyshell Exploit Chain: It refers to the exploitation of a series of vulnerabilities called ProxyShell that was detected in August 2021. The ProxyShell vulnerabilities, which consist of three CVEs (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207), affect particular versions of Microsoft Exchange Servers installed on-premises. To know more, click here.
- Text4Shell (CVE-2022-42889): CVE-2022-42889, dubbed “Text4Shell“, was publicly identified in early October. Text4Shell is a vulnerability that effects Apache Commons Text, a Java library. CVE-2022-42889 resulted in remote code execution, which allowed an attacker to execute arbitrary code on victim machines and perform further actions on objectives. The vulnerability was patched in the latest versions. To know more, click here.
On a concluding note, the ten cases that have been briefly discussed, were just a few among several exploits that occurred. Each year has witnessed an increase in different attack classes, as attackers come up with novel attack techniques. There has been a rise in malware, especially ransomware, and increasing attacks on supply chain infrastructure. It is essential for the security administrator to keep the software running in their environment, updated to the latest version, and keep a check on the latest outbreaks or attacks.
We at Vehere ensure our customers are protected by actively researching these threats and updating our detection solutions.
Vehere Network Detection and Response: Protection Against Threat’s Past and Present
In the previous section, we took a brief glance at the vulnerabilities that were actively used in large-scale exploits and malware campaigns. While most of them were reported in 2022, history repeats itself in that a lot of vulnerabilities reported in 2020 and 2021 continued to be used in lateral movement techniques, malware campaigns, and infiltration due to the presence of a large number of systems that are still unpatched or haven’t followed vendor advisories.
Vehere’s research wing, Dawn Treader, actively researches new vulnerabilities and malware outbreaks in order to improve the detection efficacy of its NDR solution. Vehere NDR’s Rule Engine is constantly updated to detect threats like the ones discussed in this report.
In addition to a comprehensive Rule Set that guides the Rule Engine in detecting attacks and behavior anomalies, the NDR’s ML engines are trained to detect behavioral anomalies in customer networks. This, combined with a comprehensive set of NDR enhancements to detect lateral movement activity in a network, enables customers to get a holistic view of any violation of their computing assets and deter the progress of the attack.