CyberClub

Attackers continue to aggressively target small and mid-size businesses using high-profile vulnerabilities dating back a decade or more, network telemetry shows.

Between January and March this year, five high-severity flaws stood out above all others in terms of their frequency in intrusion prevention system (IPS) data from SonicWall’s predominantly SMB customer base.

At the top of the list was the Apache Log4j (CVE-2021-44228) vulnerability, detected in traffic to 43% of organizations. Tied on 35% were the Fortinet SSL VPN Path Traversal (CVE-2018-13379) flaw and the infamous Heartbleed (CVE-2014-0160) mega-flaw, with the less discussed but still significant Atlassian Pre-Auth Arbitrary File Read (CVE-2021-26085) and VMware SSRF (CVE-2021-21975) on 32% and 28% respectively.

According to SonicWall, these five stood out above all others; the sixth most targeted vulnerability was aimed at only 10% of customers, with a long tail of others in single digits below that.

Why these flaws?

Interestingly, only two of the vulnerabilities (Log4j and Fortinet) were given the highest priority Common Vulnerability Scoring System (CVSS) rating of ‘critical’ at the time of their discovery. The other three were rated ‘high’ (Heartbleed and VMware) and ‘medium’ (Atlassian).

However, relying on CVSS scores alone can give a misleading picture of a vulnerability’s attractiveness to an attacker, said SonicWall executive director of threat research Douglas McKee, speaking to CSO Online. A bigger consideration was how likely they were to have been patched.

“Vulnerabilities that are known to work are a good first bet for a threat actor to try. Attackers are using them because they’re still working.”

Bombarding SMBs with exploits for possibly unpatched flaws was simply the easiest way to find the laggards among organizations whose patching routines are not always rigorous.

The bigger question, then, might be why organizations fail to patch. A noticeable feature of the vulnerabilities is their age. Three are from 2021, one is from 2018, and the final, Heartbleed, was made public as long ago as April 2014.

Given that four of the five were also rated ‘critical’ or ‘high’, in theory they should have been patched as a priority some time ago. According to McKee, an important feature of the top five vulnerabilities was their ubiquity. “All five are on widely used products. Attackers are willing to put the time in for vulnerabilities that are going to provide them with a pay-off for more than one victim,” he said.

The everywhere flaw

A characteristic that gives any flaw longevity among attackers is how difficult it is to patch. In Log4j’s case, this was underlined by an unusual feature. When McKee studied the telemetry, he noticed that it had become steadily more popular among attackers since its discovery in late 2021.

“It’s almost the inverse of what you would expect. With all these patches and mitigations, why has it trended in an upward direction?”

Most likely, it was because Log4J was a supply chain vulnerability affecting a wide range of software used by almost every possible target.

“In my opinion, we still don’t know everywhere that it exists,” observed McKee. “The reason you’re seeing a trend upward is that attackers are still finding more places that it’s working.”

If this is correct, it suggests that some organizations haven’t patched Log4J because they don’t know they are affected. The oldest flaw in the top five, Heartbleed, exhibited the same problem.

“It’s similar to Log4J in that Heartbleed is in SSL [Secure Sockets Layer, an older VPN protocol]. It’s not a single piece of software where you can patch one thing. It’s another library that exists in a multitude of software.”

The priority for CISOs was working out which vulnerabilities should be patched first. As threats recede over time, it becomes easier to forget they exist or matter. Ten years on, Heartbleed is a warning of how this can be difficult to get on top of.

McKee’s recommendation was to focus on the complex flaws by doing regular assessments of the software supply chain hiding inside key applications.

“We can’t fix what we don’t know about. That’s often the hardest question. Do I even have the version of Log4J that’s vulnerable? I would prioritize fixing those things over the latest zero-day that an attacker cannot use,” said McKee.