Download Ransomware Index Update Q1 2022

Latency Analysis of DHS CISA KEVs

Posted on Mar 2, 2022 | Updated on Apr 25, 2022 | By Priya Ravindran, Sumeetha Manikandan

In this blog, CSW experts analyzed CISA’s Known Exploited Vulnerabilities (KEV) list for latencies in publishing, exploiting, and patching to understand how fast attackers are weaponizing them for attacks.

On November 3, 2021, CISA released a directive of Known Exploited Vulnerabilities (KEVs) and advised organizations to address them within stipulated deadlines. This was followed by regular additions to the vulnerabilities list that stands at 647 KEVs today.  Our researchers found that 503 vulnerabilities out of 647 are trending in the wild with high internet and dark web chatter which is a clarion call for organizations to patch them immediately - well before the deadline.

Latencies in publishing vulnerabilities and releasing patches are enabling attackers to launch crippling and devastating supply chain attacks on critical entities. In recent times, the trend of exploitation of zero-day vulnerabilities even before NVD disclosure has picked up momentum, as called out by our research in ransomware.

In this blog, we analyze the latencies and strive to find answers to the following question -

“Are latencies in identifying, publishing, and releasing patches for vulnerabilities providing further impetus to foraging cyber attackers?”

Latencies in Vulnerabilities

Our research points to three types of latencies in vulnerabilities that can prove costly to organizations. And unfortunately, all three apply to the CISA KEVs -

  1. NVD disclosure latency - The average time taken for the NVD to publish the vulnerabilities in their database

  2. Exploit latency - The average time taken for the weaponization of the vulnerabilities

  3. Patch latency - The average time taken for the patch to be released by the vendor.

Our research shows that attackers typically go after all vulnerabilities irrespective of their patching status.

 

Overall

Critical

High

Medium

Low

Exploit before patch

82

43

34

4

1

Same day

46

25

21

-

-

Exploit after patch

154

73

71

10

-

 

With the recent update, our analysis shows that around 13% of the vulnerabilities were exploited even before the vendor could release a patch which also ties in with our research on Zero Day vulnerabilities exploited before they made it to the NVD.

 

Around 24% of the vulnerabilities were weaponized and exploited after the patch was released - which spotlights the lack of cyber hygiene.

 

What jumps out of this analysis is the fact that attackers are weaponizing vulnerabilities at speeds thus far not seen and this means vendors need to react within minimum response times to stay ahead of attackers.  

CVE-2014-3120 has the largest patch latency, having been exploited for almost one year and five months before a patch was released by its vendor.

CVEs exploited before patch

 Year   Average of exploit latency 
2002 70
2007 9
2008 124
2010 49.5
2011 7
2012 4.5
2013 39.4
2014 238.75
2015 87.42857143
2016 155.6
2017 37.33333333
2018 30.16666667
2019 24.125
2020 32.27272727
2021 58.75

CVE-2014-1812 has the largest exploit latency, exploited 1 year 8 months after the vulnerability was patched by its vendor.

CVEs that were patched before exploit

Year Average of Patch ltency
2004 3
2009 290.5
2010 23.66666667
2011 16
2012 211
2013 77.125
2014 122
2015 40.875
2016 62.27272727
2017 81.44444444
2018 87.77777778
2019 88.24242424
2020 85.84
2021 73.76470588

An unpatched vulnerability is a perpetual threat to organizations, irrespective of whether it is patched. The sheer volume of patches that security teams need to apply needs AI-based solutions to prioritize patching cadence based on accurate threat context.

 

Zero-day vulnerabilities - NVD disclosure latency and patch latency

Our Ransomware Spotlight Report published in January 2022 highlighted the trend of ransomware groups going after zero-day vulnerabilities. All the four vulnerabilities identified now feature as part of the CISA KEVs. Incidentally, all four vulnerabilities indicate a case of both NVD disclosure latency and patch latency.

CSW first warned of these vulnerabilities in 2021 Ransomware Index Reports released in August and October 2021. 

The zero-day vulnerabilities — CVE-2021-28799, CVE-2921-44228, CVE-2021-30116, and CVE-2021-20016 — started seeing exploitation by attackers before their vendors could release a patch and, in some cases, even before the vendors themselves were aware of the flaw. 


QNAP: CVE-2021-28799

A vulnerability in QNAP NAS devices came to the limelight in 2021 when attackers exploited a then unknown vulnerability in Hybrid Backup Sync applications. The Qlocker ransomware soon after developed their exploit for the zero-day vulnerability that was patched 9 days after details of the first ransomware exploit were made public, and was added to the NVD 11 days after. The QNAP vulnerability is a classic example of  how threat actors are scouting after weaknesses in code, taking complete advantage of patch and NVD disclosure latencies.

A snippet from from CSW's Ransomware Report 2022

 

Apache Log4j: CVE-2021-44228

A series of vulnerabilities in the Apache Log4j logging library shook the security world in late December 2021, and the impact is still being felt today. CVE-2021-44228 was completely patched only 21 days after the vulnerability was disclosed publicly, which gave attackers enough window to jump on the wagon and compromise a series of products using the Apache library. The incident also highlighted the importance of a complete fix to vulnerabilities, with many earlier patches overridden due to lapses and misconfigurations, even as attack incidents unfolded.

A snippet from from CSW's Ransomware Report 2022

 

Kaseya: CVE-2021-30116

The Kaseya supply chain incident in July 2021 resulted in a massive impact with a series of third-party attack onslaughts. The REvil ransomware group compromised Kaseya VSA servers even as the team was working on patches for three newly identified vulnerabilities. This small gap in patch latency was sufficient for the group to wage a crippling attack

A snippet from from CSW's Ransomware Report 2022

Sonicwall SMA: CVE-2021-20016: Unidentified vulnerability

At the start of the year 2021, a new ransomware group, FiveHands, quietly capitalized on a then-unknown vulnerability, CVE-2021-20016. The events brought the vulnerability to the notice of its vendor, who released a patch 11 days later, by which time the CVE was weaponized and used to stealthily infiltrate organizational networks. Our research also attributes this vulnerability to the infamous DarkSide group.

A snippet from from CSW's Ransomware Report 2022

 

Three of the vulnerabilities — CVE-2021-28799, CVE-2021-20016 and CVE-2021-30116 — were warned about by CSW much before they were added to the CISA KEVs!

Organizations that consider only the NVD as their single source of truth are at huge risk. While the NVD plays a crucial role as a repository of vulnerabilities, a multi-layered approach is needed to give this base data an accurate threat context. Furthermore, vendors must act fast and address identified vulnerabilities immediately, while also ensuring that their end-users are notified to prioritize their remediation efforts.

CSW’s vulnerability intelligence database offers organizations timely warnings and the most comprehensive insights into vulnerabilities and the threats associated with them.

Interested to know more?  

 

Exploit Latency

We looked at year-wise distribution of vulnerabilities and their average exploit times with respect to when they were published in the NVD. We can observe that the vulnerabilities warned as highly exploited by CISA belong more to recent years. Most importantly, the speed at which vulnerabilities are being exploited has decreased drastically on average, even after the release of a patch, with attackers exploiting vulnerabilities within days after being added to the NVD. This, again, is a warning to organizations to implement patches without delay.

Year Average of Patch latency 
2002 70
2004 -3
2007 9
2008 124
2009 -145.25
2010 18.14285714
2011 -4.5
2012 -89.14285714
2013 -26.25
2014 18.58333333
2015 15.83333333
2016 5.166666667
2017 -31.8125
2018 -51.81481481
2019 -56.64583333
2020 -42.64285714
2021 -29.11428571

 

Here are some prominent instances where unpatched vulnerabilities were exploited by hackers.

  • Apache Struts: CVE-2017-5638: Exploited two months after patch 
  • Microsoft Server Message Block v1 : CVE-2017-0145

    • The WannaCry incident was one of the biggest cybersecurity incidents of the decade. WannaCrypt group of the ransomware family used the Eternal Blue vulnerability, CVE-2017-0145, to gain entry into systems with unpatched versions Windows 7 and Windows Server 2008, using publicly available SMB exploits.

  • Fortinet Fortigate VPN : CVE-2018-13379

Our continued vulnerability research identified around 70% of the CISA warned vulnerabilities as being a threat even before they were added to the KEV list. For 66% of the vulnerabilities, our research predicted the highest chances of exploitability even before the first set of KEVs were released by CISA.

The most recent rage, the Spring4Shell vulnerability, was warned about by CSW five days before it was added to the CISA KEVs list. Stay tuned to our blogs to stay on top of trending threats.

Around 67% of the vulnerabilities were identified as highly likely to be exploited by attackers more than 100 days before being the first CISA KEV list was released. If these warnings were heeded, security teams had ample time to analyze, prioritize and deploy patches before falling victim to a breach! 

What this shows is that the right research can forewarn organizations of most of the dangers from vulnerabilities well in advance! 

 

Top Priority - Reducing Latency Gaps

Today’s digital dynamic demands responsible cyber security practices from all parties involved - the vendor, the organization, and all third parties offering services. The lesser the latency, the smaller the window of risk and thus, the safer the network. In order to reduce latencies, organizations must act quickly, keeping their systems up-to-date with vendor advisories,  software updates, and released patches. 

Most importantly, security teams must handle vulnerabilities with a 360-degree view to understand their impact, ingesting data from authentic sources that consider the NVD, along with trending and threat factors. A continuous and all-encompassing risk assessment that is adapted to changing times, with regular adoption of its recommendations, can help organizations stay ahead of latencies.

 

CSW can help organizations stay forewarned and manage the vulnerabilities in their network, discover the exposures in their attack surfaces, and provide intelligence and prediction about vulnerability threats and the associated impact. 

Sign up for CSW’s threat feeds, VMaaS, ASM as a service offerings to stay safe from impending vulnerability threats.


 

Not sure whether your organization is affected by the CISA KEVs? 

Sign up for a CISA vulnerability analysis

 

Never miss a patch or an update with CSW’s Patch Watch Newsletter. Subscribe now!

csw

Secure your environment from cyber-attacks!

Know How

incognito