• United States



Apurva Venkat
Special Correspondent

Unpatched old vulnerabilities continue to be exploited: Report

Mar 02, 20235 mins
Data BreachSecurityVulnerabilities

The top five exploited vulnerabilities in 2022 include several high-severity flaws in Microsoft Exchange, Zoho ManageEngine products, and virtual private network solutions from Fortinet, Citrix and Pulse Secure.

A broken link in a digital chaing / weakness / vulnerability
Credit: MaxKabakov / Getty Images

Known vulnerabilities as old as 2017 are still being successfully exploited in wide-ranging attacks as organizations fail to patch or remediate them successfully, according to a new report by Tenable. 

The report is based on Tenable Research team’s analysis of cybersecurity events, vulnerabilities and trends throughout 2022, including an analysis of 1,335 data breach incidents publicly disclosed between November 2021 and October 2022. Of the events analyzed, more than 2.29 billion records were exposed, which accounted for 257 terabytes of data.

The top five exploited vulnerabilities in 2022 include several high-severity flaws in Microsoft Exchange, Zoho ManageEngine products, and virtual private network solutions from Fortinet, Citrix and Pulse Secure. The four most exploited vulnerabilities in 2022 were Log4Shell, Follina, Atlassian Confluence Server and Data Center flaw, and ProxyShell, the Tenable report said. 

Patches and mitigations for these vulnerabilities were highly publicized and readily available. “In fact, four of the first five zero-day vulnerabilities exploited in the wild in 2022 were disclosed to the public on the same day the vendor released patches and actionable mitigation guidance,” the report said. It should be noted that once a zero-day vulnerability is acknowledged by the vendor and a patch is issued, it shifts into the category of known vulnerabilities that security teams can find and fix.

Exposure management is the need of the hour

As known vulnerabilities continue to be exploited, according to Tenable, organizations must operate with a defensive posture by applying available patches for known exploited vulnerabilities, sooner rather than later.

“The data highlights that long-known vulnerabilities frequently cause more destruction than shiny new ones. Cyberattackers repeatedly find success exploiting these overlooked vulnerabilities to obtain access to sensitive information,” Bob Huber, CSO and head of research at Tenable, said in a statement. 

This shows that reactive post-event cybersecurity measures are not effective at mitigating risk. “The only way to turn the tide is to shift to preventive security and exposure management,” Huber added. 

The known vulnerabilities were also used by state-sponsored threat actors to gain initial access into government organizations and disrupt critical infrastructure. Several government advisories in 2022 warned about overlapping known vulnerabilities with available patches being exploited by APT groups, Tenable said. 

In the last five years from 2018 to 2022, the number of reported CVEs increased at an average annual growth rate of 26.3%. There were 25,112 vulnerabilities reported in 2022 as of January 9, 2023, a 14.4% increase over the 21,957 reported in 2021 and a 287% increase over the 6,447 reported in 2016, the Tenable report said. 

Losing attack visibility in the cloud 

Along with unpatched vulnerabilities, the shift to managed cloud services also increasingly contributed to cyberattacks in 2022. “As organizations move to managed cloud services, such as AWS, Google Cloud Platform or Microsoft Azure, they lose visibility of their attack surface. They (organizations) cannot rely on their normal security controls and must trust what is provided by the CSPs (cloud service providers),” the report said. 

The biggest challenge organizations face with the cloud is that vulnerabilities impacting CSPs are not reported in a security advisory or assigned a CVE identifier. They are often addressed by the CSP without notice to the end user in what is known as silent patches. This makes risk assessment challenging for organizations. 

Also, unsecured or misconfigured data continues to be an area of concern. More than 3% of all data breaches identified in 2022 were caused by unsecured databases, accounting for leaks of over 800 million records, according to the Tenable report.

Breaches and ransomware are still a threat

With the fall of the most notorious ransomware gang Conti in May 2022, it was assumed that ransomware attacks would see a major decline. However, Tenable found that 35.5% of breaches in 2022 were the result of a ransomware attack, a minor 2.5% decrease from 2021.

“In the ransomware ecosystem, groups are not the constant; it’s the group members, including affiliates, that remain a prominent fixture, which is why the long-term impact of a ransomware group’s demise is blunted,” the report said. From November 1, 2021 to October 31, 2022, at least 31 new ransomware and extortion groups were discovered.

In terms of breaches, Tenable observed 1,335 breach events in 2022, a 26.8% decrease from the 1,825 tracked during the same period a year earlier. 

The breach events analyzed resulted in the exposure of 2.29 billion records, a marked decrease compared to 2021, where 40 billion records were exposed. This was matched by a comparable decline in the number of files exposed in 2022 was 389 million. “Despite the steep decline in records and files exposed, the total volume of data exposed as part of breach events in 2022 remained flat at 257 terabytes, compared with 260 terabytes in 2021,” the report said. 

Of the 1,335 breach events tracked in 2022, 88.2% of the impacted organizations reported that records were exposed. However, 45% did not disclose a number of records exposed, while for 6.1% of breaches, the impacted organizations could not confirm whether the records were exposed. More than two-thirds or 68% of the records exposed originated from organizations located in Asia-Pacific. Organizations in North America and Europe (NAM); the Middle East, and Africa accounted for a combined 31% of records exposed, the report said. 

Apurva Venkat
Special Correspondent

Apurva Venkat is principal correspondent for the India editions of CIO, CSO, and Computerworld. She has previously worked at ISMG, IDG India, Bangalore Mirror, and Business Standard, where she reported on developments in technology, businesses, startups, fintech, e-commerce, cybersecurity, civic news, and education.

More from this author