In sobering news to CISOs everywhere, cybersecurity company Rapid7 has found the majority of mass compromise events come from zero-day exploits, and increasingly these are hitting devices at the edge. Additionally, other research finds a staggering number of preventable compromises are still occurring where MFA could, and should have been in place but was not.
Rapid7 is on a mission to create a safer digital world by making cybersecurity simpler and more accessible, through best-in-class technology, leading-edge research, and broad, strategic expertise. Rapid7 protects more than 11,000 global customers. As part of its offerings to the wider public, Rapid7 releases an annual Vulnerability Intelligence Report. The latest 2024 Attack Intelligence Report was released late last month, based on more than 1,500 curated vulnerability and exploit data points, an analysis of 180+ advanced threat campaigns, and thousands of tracked ransomware events, extortion communications, and dark web posts, as well as insights from the trillions of security events across Rapid7 MDR and threat analytics telemetry.
It's a huge source of worldwide data and thus paints an accurate picture of threat actors globally. Every year Rapid7's report is highly informative about such nefarious activities and the 2024 report is no exception.
Disturbingly, Rapid7 finds more mass compromise events arose in 2023 from zero-day vulnerabilities than from n-day vulnerabilities, and, in fact, were the cause of 53% of such events. The best advice is to ensure your systems are up-to-date with all security patches - and we have no shortage of stories about breaches caused by unpatched software with Equifax being a high-profile example. Yet, software updates can't protect you from zero-day exploits because, of course, patches don't exist for a vulnerability only just discovered and weaponised. Hence, one immediate key takeaway from Rapid7's research is organisations and institutions of all sizes can't rely on definition-based endpoint protection and software updates alone, but need a raft of tools.
{loadposition david08}
Rapid7 explains this is the second time in the last three years that zero-day vulnerabilities have been the major cause of mass compromise events, and is a return to 2021 levels of widespread exploitation despite a drop in 2022.
Further, the proliferation of IoT and edge devices appears to be creating a security blind spot for many. Rapid7 identified that mass compromise events arising from exploitation at the edge have almost doubled from the start of 2023, and this is where 36% of widely exploited vulnerabilities originated. Over 60% of the vulnerabilities Rapid7 analysed were zero-days, showing the "bad guys" have learned this is a common weak spot.
Rapid7 recommends organisations take an active approach to reducing risk with their edge devices; they can't be "set and forget" appliances but vulnerabilities must be mitigated as soon as patches or workarounds are available. Further, it is imperative to enable logging and ensure it is working as expected. Log data is vital for security operations teams to hunt for elusive indicators of compromise and suspicious activity.
“Our data shows 2021 to have been the dividing line between a ‘then’ and a ‘now’ in zero-day attacks,” said Rapid7 director of vulnerability intelligence Caitlin Condon. “Since that time, the median number of days between vulnerability disclosure and exploitation, which we began tracking several years ago, has stayed in single digits across the CVEs in our annual datasets; widespread exploitation of major vulnerabilities has shifted from a notable event to a baseline expectation; and ransomware attacks regularly take entire public-facing systems online, sometimes for weeks or months at a time.”
Additionally, Rapid7 found that 41% of incidents in 2023 resulted from missing or unenforced multi-factor authentication (MFA) on Internet-facing systems, particularly VPNs and virtual desktop infrastructure. Yes, more than 4 in 10 exploits could have been prevented. All expert advice has, for years, advocated MFA as the simplest defence against credential theft, and too many companies are still not listening.
Rapid7 also detected a pronounced shift in the way attacks are playing out. Historically, a wide range of malicious threat actors adopted a scatter-gun approach to many targets. Yet, Rapid7 finds that today almost a quarter (23%) of the widespread threat CVEs came from well-planned, highly orchestrated zero-day attacks where a single adversary compromised dozens, to hundreds, of organisations at once, and often through their own specialised custom tooling.
Interestingly, Rapid7 found the number of unique ransomware families reported across 2023 incidents decreased by over half, from 95 new families in 2022 to 43 in 2023.
Further, while threat actors are still exploiting memory corruption opportunities, Rapid7 found most exploits are now arising from simpler, more easily exploitable root causes, such as improper authentication or command injection.
There's a lot to take in, but the message is clear that cybersecurity is an ongoing process that cannot be ignored, from systems administrators to software developers and every part of the IT team to every part of the business.
We're facing an army of well-funded, well-researched, determined attackers who know what is working and will keep doing it.
“This is a mature, well-organised cybercrime ecosystem at work, with increasingly sophisticated mechanisms to gain access, establish persistence, and evade detection,” Condon said. “The data is telling us that we are experiencing the intensification of a multi-year trend; now more than ever, implementing zero-day patching procedures for critical technologies is key.”
You can read the full Rapid7 2024 Attack Intelligence Report here.