Vulnerabilities are defects present in the specific implementation of hardware, software, protocols, or operating system security policies, enabling attackers to access or disrupt systems without authorization. Discovering and exploiting vulnerabilities is a critical way to gain control over systems. As traditional systems and applications collide with an increasing number of emerging technologies in the digital age, the number of vulnerabilities is growing at an incredible pace.
Security 419 previously noted a report released by the insurance technology startup Corvus Insurance, which pointed out that vulnerability exploitation has become the top initial access path for ransomware attacks by threat actors: “Ransomware victims are increasingly being attacked using vulnerabilities rather than phishing emails.” It’s evident that vulnerability issues remain the greatest threat to security, as evidenced by the significant impact a single vulnerability like MOVEit had on thousands of enterprises in 2023.
Vulnerabilities and Future Trends in 2023
Let’s look at some public data sets:
Jerry Gamblin, Chief Engineer of Threat Detection and Response at Cisco, recently revealed that a total of 28,902 CVEs were released in 2023, an increase of over 15% compared to the 25,081 CVEs released in 2022. This translates to an average of 79.18 CVEs being released per day. Since 2017, the number of CVEs released has been steadily increasing. Jerry Gamblin also made predictions for the possible number of CVEs in 2024 using a model (Kalman Filter), with the forecasted number of 32,600 CVEs certainly not being the desired outcome for anyone.
According to the “2023 Network Threat Security Review” report published by security company Qualys, a total of 26,447 computer vulnerabilities were disclosed globally in 2023, marking the highest number in history. This is a 5.2% increase compared to the 25,050 vulnerabilities reported the previous year. Among the disclosed vulnerabilities, over 7,000 vulnerabilities had “proof-of-concept exploit code,” 206 vulnerabilities had weaponized exploit code available, and 115 vulnerabilities were being “widely exploited” by hackers.
Data from the “2023 Network Space Security Vulnerability Situation Analysis Research Report” released by the domestic network security listed company Venustech showed that in 2023, Venustech Alpha Lab monitored and discovered a total of 35,762 pieces of vulnerability information through its vulnerability monitoring system. After intelligent screening by the vulnerability monitoring system, 361 pieces of high-risk vulnerability information were retained. The report pointed out that, based on the trend of vulnerability development, the exploitation of zero-day vulnerabilities will continue to grow. Emerging technology fields have become key targets for attacks: cloud computing, the Internet of Things (IoT), connected vehicles, artificial intelligence, and other emerging technologies will continue to be the focus areas for security vulnerabilities.
The Tenable Research team compiled data on Microsoft’s Patch Tuesday in 2023, stating that Microsoft patched a total of 909 vulnerabilities in 2023, a slight decrease of 0.87% compared to the 917 vulnerabilities patched in 2022. The team commented, “Looking back at Patch Tuesday in 2023, we see that the number of CVEs patched is consistent with 2022, far from the peak of 2020. However, due to several zero-day vulnerabilities and some critical vulnerabilities in various Microsoft products, Patch Tuesday in 2023 remains eventful.”
Recently, the security firm Greyhats Online released its “2023 Vulnerability Intelligence Annual Report,” which showed a total of over 29,000 vulnerability intelligence captures in 2023, an increase of over 4,000 vulnerabilities compared to 2022. Based on its own security products and the big data of hacker attacks it possesses, Greyhats Online concluded that the cumulative number of in-the-wild vulnerability exploitation incidents exceeded 4.1 billion times, with over 1.3 million captured attack IPs. Additionally, hackers primarily utilized over 1,300 known vulnerabilities for attacks, with 255 newly discovered major vulnerability exploits in 2023, over 90% of which were remote vulnerabilities.
From the data disclosed by the above-mentioned cybersecurity organizations, although no authoritative organization can accurately report the number of vulnerabilities over the past year, it is a fact that the overall number of vulnerabilities has been increasing year by year. Furthermore, security vendors also emphasized that based on known vulnerability exploitation data, vulnerabilities affect a wide range of operating systems and applications, indicating that almost no program is beyond attackers’ reach. To achieve their goals, attackers will exploit vulnerabilities in any software to attack business systems.
Acceleration of Vulnerability Exploitation Speed and Increase in Zero-Day Vulnerability Attacks
CheckPoint’s “2023 H1 Network Security Report” pointed out that newly discovered vulnerabilities in 2023 were almost immediately exploited by attackers. A set of data also corresponds to this growing trend: in the first half of 2023, 28% of attacks utilized new vulnerabilities, compared to 20% in the first half of 2022 and 17% in the first half of 2021. This indicates that attackers are accelerating the integration of new vulnerabilities into their frequently used vulnerability attack libraries.
Qualys’ “2023 Network Threat Security Review” also summarized the speed of attackers’ vulnerability exploitation. It stated that the “average time a high-risk vulnerability is exploited by hackers” in 2023 was approximately 44 days, with 25% of vulnerabilities being exploited on the same day they were disclosed, and 75% being exploited within 19 days of disclosure.
Greyhats Online also provided similar data. According to its “2023 Vulnerability Intelligence Annual Report,” 25.5% of high-risk vulnerabilities were exploited on the same day they were disclosed, and 75% were exploited within 22 days of disclosure. Their conclusion was that attackers’ efficiency in exploiting vulnerabilities is continuously improving, leading to a shrinking window of vulnerability response time for enterprises.
Regarding zero-day vulnerability exploitation, Google’s Threat Analysis Group provided a trend analysis in July of the previous year, indicating that the number of zero-day vulnerabilities exploited in the wild reached a historical high in 2021 (69), decreased in 2022, but surged again in 2023 due to a significant increase in major zero-day vulnerability exploitation events, which were widely used in everything from corporate espionage to ransomware attacks.
Greyhats Online’s “2023 Vulnerability Intelligence Annual Report” summarized the 2023 offensive and defensive case studies and major threat events, pointing out that zero-day vulnerabilities have become a routine arsenal for attackers, with the frequency and scale of vulnerability exploitation on the rise. For enterprises, it is imperative to shorten the time difference between the discovery and exploitation of zero-day vulnerabilities by attackers. Enterprises should proactively gather zero-day vulnerability intelligence, reinforce and converge their attack surface as early as possible.
The Way of Vulnerability Defense: Third-Party Professional Forces are Indispensable
According to the “2023 Data Breach Cost Report” released by IBM, the average cost of global data breaches in 2023 reached $4.45 million, setting a record high for the report. The report also noted another point: the cost of detecting security vulnerabilities and the subsequent increase in security costs due to vulnerability exacerbation rose by 42% during the period, reaching the highest ratio in history. This also indicates that the investigation and handling of vulnerabilities by enterprises are becoming more complex.
版权归原作者所有,如若转载,请注明出处:https://www.ciocso.com/article/472993.html
