Cyberwar Bulletin: Iran and Albania

Latency Analysis of DHS CISA KEVs

Posted on Mar 2, 2022 | Updated on July 6, 2022 | By Priya Ravindran, Sumeetha Manikandan

In this blog, CSW experts analyzed CISA’s Known Exploited Vulnerabilities (KEV) list for latencies in publishing, exploiting, and patching to understand how fast attackers are weaponizing them for attacks.

On November 3, 2021, CISA released a directive of Known Exploited Vulnerabilities (KEVs) and advised organizations to address them within stipulated deadlines. This was followed by regular additions to the vulnerabilities list that stands at 787 KEVs today.  Our researchers found that 647 vulnerabilities out of 787 are trending in the wild with high internet and dark web chatter which is a clarion call for organizations to patch them immediately - well before the deadline.

Latencies in publishing vulnerabilities and releasing patches are enabling attackers to launch crippling and devastating supply chain attacks on critical entities. In recent times, the trend of exploitation of zero-day vulnerabilities even before NVD disclosure has picked up momentum, as called out by our research in ransomware.

In this blog, we analyze the latencies and strive to find answers to the following question-

“Are latencies in identifying, publishing, and releasing patches for vulnerabilities providing further impetus to foraging cyber attackers?”

Latencies in Vulnerabilities

Our research points to three types of latencies in vulnerabilities that can prove costly to organizations. And unfortunately, all three apply to the CISA KEVs -

  1. NVD disclosure latency - The average time taken for the NVD to publish the vulnerabilities in their database

  2. Exploit latency - The average time taken for the weaponization of the vulnerabilities

  3. Patch latency - The average time taken for the patch to be released by the vendor.

Our research shows that attackers typically go after all vulnerabilities irrespective of their patching status.

 

Overall

Critical

High

Medium

Low

Exploit before patch

86

44

36

6

-

Same day

53

29

23

1

-

Exploit after patch

175

80

82

13

-

 

With the recent update, our analysis shows that around 11% of the vulnerabilities were exploited even before the vendor could release a patch which also ties in with our research on Zero Day vulnerabilities exploited before they made it to the NVD.

 

Around 23% of the vulnerabilities were weaponized and exploited after the patch was released - which spotlights the lack of cyber hygiene.

 

What jumps out of this analysis is the fact that attackers are weaponizing vulnerabilities at speeds thus far not seen and this means vendors need to react within minimum response times to stay ahead of attackers.  

CVE-2021-0920 has the largest patch latency, having been exploited for almost two and a half years before a patch was released by its vendor.

CVEs exploited before a patch

Year

Average of Exploit latency

2004

3

2006

1191

2007

1

2009

195.6666667

2010

23.66666667

2011

8.5

2012

211

2013

82.55555556

2014

104.7142857

2015

37.33333333

2016

63.58823529

2017

81.44444444

2018

86.85714286

2019

93.2972973

2020

85.84

2021

73.76470588

2022

2

CVE-2006-2492 has the largest exploit latency, exploited 3 years 3 months after the vulnerability was patched by its vendor.

CVEs that were patched before an exploit

Year

Average of Exploit latency

2004

3

2006

1191

2007

1

2009

195.6666667

2010

23.66666667

2011

8.5

2012

211

2013

82.55555556

2014

104.7142857

2015

37.33333333

2016

63.58823529

2017

81.44444444

2018

86.85714286

2019

93.2972973

2020

85.84

2021

73.76470588

2022

2


An unpatched vulnerability is a perpetual threat to organizations, irrespective of whether it is patched. The sheer volume of patches that security teams need to apply needs AI-based solutions to prioritize patching cadence based on accurate threat context.

Zero-day vulnerabilities - NVD disclosure latency and patch latency

Our Ransomware Spotlight Report published in January 2022 highlighted the trend of ransomware groups going after zero-day vulnerabilities. All the four vulnerabilities identified now feature as part of the CISA KEVs. Incidentally, all four vulnerabilities indicate a case of both NVD disclosure latency and patch latency.

CSW first warned of these vulnerabilities in 2021 Ransomware Index Reports released in August and October 2021. 

The zero-day vulnerabilities — CVE-2021-28799, CVE-2921-44228, CVE-2021-30116, and CVE-2021-20016 — started seeing exploitation by attackers before their vendors could release a patch and, in some cases, even before the vendors themselves were aware of the flaw. 


QNAP: CVE-2021-28799

A vulnerability in QNAP NAS devices came to the limelight in 2021 when attackers exploited a then unknown vulnerability in Hybrid Backup Sync applications. The Qlocker ransomware soon after developed their exploit for the zero-day vulnerability that was patched 9 days after details of the first ransomware exploit were made public, and was added to the NVD 11 days after. The QNAP vulnerability is a classic example of  how threat actors are scouting after weaknesses in code, taking complete advantage of patch and NVD disclosure latencies.

A snippet from from CSW's Ransomware Report 2022

 

Apache Log4j: CVE-2021-44228

A series of vulnerabilities in the Apache Log4j logging library shook the security world in late December 2021, and the impact is still being felt today. CVE-2021-44228 was completely patched only 21 days after the vulnerability was disclosed publicly, which gave attackers enough window to jump on the wagon and compromise a series of products using the Apache library. The incident also highlighted the importance of a complete fix to vulnerabilities, with many earlier patches overridden due to lapses and misconfigurations, even as attack incidents unfolded.

A snippet from from CSW's Ransomware Report 2022

 

Kaseya: CVE-2021-30116

The Kaseya supply chain incident in July 2021 resulted in a massive impact with a series of third-party attack onslaughts. The REvil ransomware group compromised Kaseya VSA servers even as the team was working on patches for three newly identified vulnerabilities. This small gap in patch latency was sufficient for the group to wage a crippling attack

A snippet from from CSW's Ransomware Report 2022

Sonicwall SMA: CVE-2021-20016: Unidentified vulnerability

At the start of the year 2021, a new ransomware group, FiveHands, quietly capitalized on a then-unknown vulnerability, CVE-2021-20016. The events brought the vulnerability to the notice of its vendor, who released a patch 11 days later, by which time the CVE was weaponized and used to stealthily infiltrate organizational networks. Our research also attributes this vulnerability to the infamous DarkSide group.

A snippet from from CSW's Ransomware Report 2022

 

Three of the vulnerabilities — CVE-2021-28799, CVE-2021-20016 and CVE-2021-30116 — were warned about by CSW much before they were added to the CISA KEVs!

Organizations that consider only the NVD as their single source of truth are at huge risk. While the NVD plays a crucial role as a repository of vulnerabilities, a multi-layered approach is needed to give this base data an accurate threat context. Furthermore, vendors must act fast and address identified vulnerabilities immediately, while also ensuring that their end-users are notified to prioritize their remediation efforts.

CSW’s vulnerability intelligence database offers organizations timely warnings and the most comprehensive insights into vulnerabilities and the threats associated with them.

Interested to know more?  

 

Exploit Latency

We looked at year-wise distribution of vulnerabilities and their average exploit times with respect to when they were published in the NVD. We can observe that the vulnerabilities warned as highly exploited by CISA belong more to recent years. Most importantly, the speed at which vulnerabilities are being exploited has decreased drastically on average, even after the release of a patch, with attackers exploiting vulnerabilities within days after being added to the NVD. This, again, is a warning to organizations to implement patches without delay.

  Year  

 Average of Exploit latency 

 Count of CVE 

2002

-70

1

2004

3

1

2006

1191

1

2007

-4

2

2008

-124

1

2009

70.71428571

7

2010

-29.36363636

11

2011

2.5

4

2012

58.7

10

2013

20.95

20

2014

-18.875

16

2015

-13.8

20

2016

12.625

24

2017

30.84848485

33

2018

52.32258065

31

2019

60.47169811

53

2020

42.64285714

42

2021

3.027777778

36

2022

2

1

Here are some prominent instances where unpatched vulnerabilities were exploited by hackers.

  • Apache Struts: CVE-2017-5638: Exploited two months after patch 
  • Microsoft Server Message Block v1 : CVE-2017-0145

    • The WannaCry incident was one of the biggest cybersecurity incidents of the decade. WannaCrypt group of the ransomware family used the Eternal Blue vulnerability, CVE-2017-0145, to gain entry into systems with unpatched versions Windows 7 and Windows Server 2008, using publicly available SMB exploits.

  • Fortinet Fortigate VPN : CVE-2018-13379

Our continued vulnerability research identified around 70% of the CISA warned vulnerabilities as being a threat even before they were added to the KEV list. For 66% of the vulnerabilities, our research predicted the highest chances of exploitability even before the first set of KEVs were released by CISA.

The most recent rage, the Spring4Shell vulnerability, was warned about by CSW five days before it was added to the CISA KEVs list.

The zero-click vulnerability in Microsoft Word, Follina, was flagged as dangerous by CSW 11 days before CISA.

Stay tuned to our blogs to stay on top of trending threats.

 If these warnings were heeded, security teams had ample time to analyze, prioritize and deploy patches before falling victim to a breach! 

What this shows is that the right research can forewarn organizations of most of the dangers from vulnerabilities well in advance! 

 

Top Priority - Reducing Latency Gaps

Today’s digital dynamic demands responsible cyber security practices from all parties involved - the vendor, the organization, and all third parties offering services. The lesser the latency, the smaller the window of risk and thus, the safer the network. In order to reduce latencies, organizations must act quickly, keeping their systems up-to-date with vendor advisories,  software updates, and released patches. 

Most importantly, security teams must handle vulnerabilities with a 360-degree view to understand their impact, ingesting data from authentic sources that consider the NVD, along with trending and threat factors. A continuous and all-encompassing risk assessment that is adapted to changing times, with regular adoption of its recommendations, can help organizations stay ahead of latencies.

 

CSW can help organizations stay forewarned and manage the vulnerabilities in their network, discover the exposures in their attack surfaces, and provide intelligence and prediction about vulnerability threats and the associated impact. 

Sign up for CSW’s threat feeds, VMaaS, ASM as a service offerings to stay safe from impending vulnerability threats.


 

Not sure whether your organization is affected by the CISA KEVs? 

Sign up for a CISA vulnerability analysis

 

Never miss a patch or an update with CSW’s Patch Watch Newsletter. Subscribe now!

csw

Secure your environment from cyber-attacks!

Know How

incognito