Hackers are targeting unpatched systems, supply chain networks: Report

Unpatched vulnerabilities remain the most prominent

According to the report, 65 new vulnerabilities tied to ransomware last year were discovered, representing a 29 per cent growth compared to the previous year and bringing the total number of vulnerabilities associated with ransomware to 288. Over one-third (37 per cent) of these newly added vulnerabilities were actively trending on the dark web and repeatedly exploited. While 56 per cent of the 223 older vulnerabilities identified prior to 2021 continued to be actively exploited by ransomware groups. “This proves that organizations need to prioritize and patch the weaponized vulnerabilities that ransomware groups are targeting – whether they are newly identified vulnerabilities or older vulnerabilities,” the company said in its report.

Ransomware groups continue to find and leverage zero-day vulnerabilities. Zero day vulnerability is a vulnerability in a system or device that has been disclosed but is not yet patched or fixed. Some of the vulnerabilities that were exploited even before they made it to the National Vulnerability Database (NVD) are: QNAP (CVE-2021-28799), Sonic Wall (CVE-2021-20016), Kaseya (CVE-2021-30116), and most recently Apache Log4j (CVE-2021-44228). CVE stands for Common Vulnerabilities Exposures which is a database of publicly disclosed security flaws.

“This dangerous trend highlights the need for agility from vendors in disclosing vulnerabilities and releasing patches based on priority. It also highlights the need for organizations to look beyond the NVD and keep an eye out for vulnerability trends, exploitation instances, vendor advisories, and alerts from security agencies while prioritizing the vulnerabilities to patch,” the company added.

Supply chain network hijacked

Ransomware groups are increasingly targeting supply chain networks to inflict major damage and cause widespread chaos. A single supply chain compromise can open multiple avenues for threat actors to hijack complete system distributions across hundreds of victim networks.  For example, last year the REvil group went after Kaseya VSA remote management service, launching a malicious update package that compromised all customers using onsite and remote versions of the VSA platform.

Cybercriminals are also increasingly sharing their services with others, which is called as ransomware-as-a-service (RaaS). It is a business model in which ransomware developers offer their services, variants, kits, or code to other malicious actors in return for payment. Exploit-as-a-service solutions allow threat actors to rent zero-day exploits from developers.  According to Coveware, organizations pay an average of $220,298 and suffer 23 days of downtime following a ransomware attack.

“Ransomware groups are becoming more sophisticated, and their attacks more impactful. These threat actors are increasingly leveraging automated tool kits to exploit vulnerabilities and penetrate deeper into compromised networks. They are also expanding their targets and waging more attacks on critical sectors, disrupting daily lives and causing unprecedented damage. Organizations need to be extra vigilant and patch weaponized vulnerabilities without delays. This requires leveraging a combination of risk-based vulnerability prioritization and automated patch intelligence to identify and prioritize vulnerability weaknesses and then accelerate remediation,” said Srinivas Mukkamala, Senior Vice President of Security Products at Ivanti.