Driven by significant cyber security disclosures affecting supply chain dependencies, such as Log4j and Realtek, threat actors have vastly increased their use of vulnerabilities as a means to work their way inside their victims’ systems, with vulnerability exploitation attempts per customer up by 55% year on year (YoY) over the course of 2022, according to data compiled by Palo Alto Networks’ Unit 42 threat intelligence experts.
Presented in the latest edition of its Network threat trends research report, Unit 42’s data was drawn from across its parent’s portfolio of network monitoring and cloud products and services, including its next-generation firewalls, extended detection and response (XDR), and secure access service edge (SASE) offerings, as well as external feeds and sample exchanges among its peers in the industry.
Unit 42’s research team described a race between suppliers and threat actors to uncover and seal off new avenues of exploitation, which is creating a process of “constant churn” and piling pressure on end-user security teams.
Their findings tally with elements of Verizon’s annual Data breach investigations report (DBIR), which was also released this week, revealing that Log4j may potentially be the most exploited vulnerability in history.
“Attackers are using both vulnerabilities that are already disclosed and ones that are not yet disclosed – aka exploiting zero-day vulnerabilities,” the research team wrote. “We continue to find that vulnerabilities using remote code execution (RCE) techniques are being widely exploited, even ones that are several years old.
“While using old vulnerabilities might seem counterproductive, they still have significant value to attackers. In some cases, vulnerabilities discovered years ago have not been patched. This could be either because the company failed to fix the issue, or they didn’t provide the patch in a way that customers could easily find. In other cases, the product could lack a patch because the product is at the end of its supported lifespan.”
However, they argued, the weight of responsibility for fixing this problem should not just fall on the security supplier community – end-user organisations must have appropriate processes in place for remediating vulnerabilities safely and quickly, paying particular attention to acquiring, testing and applying patches, but also accounting for issues that might not immediately spring to mind, such as the network bandwidth needed to rush a patch out across a large enterprise’s entire IT estate.
Others also lack awareness of available patches, and are effectively rendering old, well-known vulnerabilities – into which category Log4j must soon fall, if it has not done so already – as dangerous as a newly discovered zero-day.
“Threat actors know these problems exist, and they continue to try these old vulnerabilities because they’re counting on organisations to fail at some point in the process of applying patches,” they said.
The rise of ChatGPT
The full report contains insight into a great many security trends, but perhaps among the most notable statistic is a 910% increase in monthly registrations for domains related to OpenAI’s ChatGPT tool, and a 17,818% increase in attempts to mimic ChatGPT through domain squatting.
While these increases are of course starting from a base of zero given ChatGPT was only launched in 2022, they nonetheless highlight some of the more realistic risks of tools driven by artificial intelligence (AI). Whereas much has been written about how ChatGPT may be able to create malicious activity, Unit 42’s team said that they had not seen any noticeable rise in attributable, real-world activity in this regard.
However, they said, many more traditional techniques are attempting to take advantage of AI, and it is this that is leading to a boom in fraud attempts and scams.
The speed with which scammers used traditional techniques to profit off the AI trend underscores that organisations need to exercise caution around internet activity and software that are getting attention in popular culture,” the team wrote.
“At the same time, it remains possible that threat actors could find ways to take advantage of the unique technological capabilities of AI. For the time being, the main way that organisations can prepare for this possibility is to continue to employ defence-in-depth best practices. Security controls that defend against traditional attacks will be an important first line of defence against any developing AI-related attacks going forward,” they said.