Attackers Go Retro

Skybox Security
Aug 28, 2017 · 3 min read
Why old vulnerabilities are still able to wreak havoc on enterprises and network worms are back in style — by Shannon Ragan

For cyberattackers, old can be new — as long as it’s relevant. That’s certainly the case with old vulnerabilities.

The 2016 Verizon Data Breach Investigations Report shows that successful exploits from the previous year targeted a large number of vulnerabilities with CVEs assigned more than five years ago.

Many exploited vulnerabilities in 2015 are more than five years old | Source: 2016 Verizon Data Breach Investigations Report

So why the reliance on old vulnerabilities?

Cyberattackers love the path of least resistance. That means going where defenders aren’t looking. And for resource–strapped vulnerability management teams dealing with thousands of vulnerabilities in their systems, new vulnerabilities announced every day and inadequate methods to accurately prioritize their remediation, old vulnerabilities often fall to the bottom of the to–do list. That’s where attackers find their opportunity.

The same vulnerability management issues are also seem to feed another attacker trend: exploiting vulnerabilities with mid–level CVSS scores. Attackers suspect most organizations are focusing on vulnerabilities with critical scores, so those get patched quickly while the rest may never be addressed.

Exploited Vulnerabilities by CVSS Score | Source: Adopted from IBM X-Force/Analysis by Gartner Research (September 2016)

Another perception problem exists in many security programs that somehow vulnerabilities or their exploits go stale. But, in fact, may old exploits are recycled and reused often with only slight modifications. Hackers are constantly tinkering with old, proven exploits and repurposing them for new uses.

Worms are the New Black

The recent WannaCry attack was an example of a “ransomworm,” breathing new life into network worms after so long out at sea.

What’s brought these back in fashion? Again, attackers love the easy button. This is especially true in the era of distributed cybercrime of which ransomware is a key element. Attackers want to reach as many targets as possible to maximize their ROI. They’re buying (or renting) widely available attack tools and services on the dark web, and can launch a sophisticated attack with minimal skill or intervention.

The unholy union of ransomware and worms fits perfectly into this model because it allows the payload to be distributed to even more targets. Ransomworms are taking advantage of network connectivity and using it for its own purposes. Defending against this type of threat always comes back to the old stalwarts of good cyber hygiene — effective vulnerability management, proper segmentation and limiting access as much as possible.

Both of these trends — exploiting old vulnerabilities or dressing up old TTPs in new clothes — demonstrate the importance of keeping up with the current threat landscape. Up–t0–date threat intelligence of what exploits are being used in the wild, what exploits are publicly available and what vulnerabilities are being packaged in ransomware and other attack tools is vital to securing your organization.


Originally published at blog.skyboxsecurity.com on August 28, 2017.

)
Skybox Security

Written by

Cybersecurity from The Skybox View. Words of wisdom on how total network visibility & analytic-driven intelligence conquer all.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade