Threat actors are developing and deploying exploits for vulnerabilities faster than ever, with 56% of the bugs being exploited within seven days of public disclosure. This represents a 12% rise over 2021 and an 87% rise over 2020.
In 2022, the median time to exploitation was just one day, according to a new Rapid7 report. The company analyzed 50 of 2022’s most notable vulnerabilities, which it grouped into three categories: threats, widespread threats, and impending threats. In total, the report includes 45 vulnerabilities that were exploited in the wild in 2022, of which 44% arose from zero-day exploits.
“Common payloads dropped during mass exploitation included cryptocurrency miners, web shells, and a variety of botnet malware in addition to an ever more diverse set of ransomware payloads,” Rapid7 said.
The researchers say that zero-day exploits decreased 9% compared to 2021, but have still plateaued at a high rate, which keeps the gap between vulnerability disclosure and exploitation small.
Despite consistent ransomware activity only 14 of the analyzed bugs are known to have been exploited to carry out ransomware attacks, a 33% decrease from 2021. The decrease may indicate that ransomware operations have become less reliant on new vulnerabilities, but other factors, including lower reporting of ransomware incidents, may also cause it.
Among the most exploited bugs the company mentions the infamous Log4Shell (CVE-2021-44228) bug. According to a joint advisory from US cybersecurity authorities, since December 2021, multiple threat actor groups, including the state-sponsored ones, have been exploiting Log4Shell on unpatched, public-facing VMware Horizon and Unified Access Gateway servers. In these attacks threat actors were observed planting malware on compromised systems with embedded executables enabling remote command-and-control.
“Many organizations spent the first weeks (or months) of 2022 working their way down a lengthy list of Log4Shell remediations, taxing IT and security team resources that had already been depleted by shrinking budgets and pandemic exhaustion,” the report notes.
Another widely exploited bug is Follina (CVE-2022-30190), a Microsoft Windows zero-day vulnerability disclosed last May. Rapid7 observed that the “overwhelming majority of detections were security personnel testing proofs of concept, or the occasional pentester executing a social engineering operation.”
The report also mentions a zero-day remote code execution vulnerability (CVE-2022-26134) affecting Atlassian products that was observed being exploited by multiple threat actors.
“The window for effective patching has decreased over the past three years. It is essential that organizations have emergency patching procedures and incident response playbooks in place in addition to a clearly defined, regular patch cycle that prioritizes actively and widely exploited CVEs. Without an understood, standardized mechanism for driving aligned emergency action, you’re at higher risk from these increasingly frequent events,” the report notes.