Attackers are exploiting security vulnerabilities more quickly, often within a week of their public disclosure, according to a study by Rapid7.
The latest edition of Rapid7’s annual Vulnerability Intelligence Report, published today (March 28), finds that the average time to known exploitation of vulnerabilities is down to 12 days – markedly down from the 42 days recorded in last year’s edition of the same study.
Rapid7 said that the trend meant that enterprises needed to be ready with “battle-tested emergency patching and incident response procedures” to have any hope of staying on top of the increasingly challenging security threat environment.
Opportunistic breaches
The study put 50 vulnerabilities that posed a risk to businesses during 2021 under the microscope.
The vast majority – 43 of 50 vulnerabilities – were exploited in the wild.
Three in five (60%) of the widespread threats, defined by Rapid7 as those that have been exploited broadly and opportunistically by many attackers, were used in ransomware attacks. More than half of these widespread threats began with a zero-day exploit.
Caitlin Condon, a manager at Rapid7’s vulnerability risk management engineering team, told The Daily Swig that ransomware exploitation was only one of several factors fueling the increase.
State-sponsored cyber-espionage groups (APTs) and opportunistic scammers attempting to enrich themselves through cryptojacking scams were also a problem.
Condon said: “For many of the vulnerabilities that became widespread threats, coin miners were the first wave of mass exploitation.
“We also saw instances where vulnerabilities in enterprise products were exploited by multiple APTs in addition to coin mining and ransomware groups, so it’s fair to say that a lot of the vulnerabilities in our ‘widespread’ threat category were quickly incorporated into both sophisticated and opportunistic campaigns.
She added: “The community and the security industry have benefited from sharing intelligence and expertise over the years – unfortunately, this is true of attackers, too.”
Doubling down on zero-days
Rapid7, the firm behind the Metasploit penetration testing tool, logged 20 CVEs that were exploited as zero-days during 2021 – more than double the number of exploits that figured in the previous edition of its study.
Condon commented: “We saw such a pronounced rise in zero-day attacks in 2021 that the most frequent value in our time to known exploitation data was zero. That drove all our statistics down.
“While a few of the zero-day vulnerabilities in the report were leveraged by ransomware groups from the start, most weren’t used in ransomware operations until after an initial wave of exploitation.”
In response to questions from The Daily Swig, Condon said there was no clear link or correlation between the more rapid exploitation of zero-day vulnerabilities and the growing threat posed by ransomware groups.
Condon explained: “In some cases, such as the ProxyLogon vulnerabilities in Microsoft Exchange Server, that ransomware wave began quickly. In others, it was weeks or months before we saw confirmation that fixed zero-day vulnerabilities had been incorporated into ransomware attacks.
“So there isn’t a clear correlation in our data between the decrease in time to known exploitation and ransomware, but it’s entirely reasonable to surmise that as ransomware groups continue to evolve and mature their operations, we will see additional increases in both the urgency and scale of attacks.”
