In March 2022, APT41—also known as Wicked Panda—compromised government networks in six US states by exploiting a number of old vulnerabilities, including three-year-old security issues in Citrix appliances, Cisco small-business routers, and Atlassian Confluence servers.
Using older vulnerabilities is common practice among attack groups, a trend that companies should take into account as they triage and remediate software vulnerabilities. Old vulnerabilities continue to provide value to attackers because many companies fail to patch the issues. In some cases, organizations did not prioritize the vulnerability properly, allowing attackers to exploit the security weakness. In other cases, organizations may not have even known that they had a vulnerable asset.
Knowledge is Power:
Staying on top of threats is easier said than done, and knowing where to find useful information is good start. CyberRes Galaxy Online provides briefings about industry, region, and business cybersecurity threats. According to the Galaxy Bulletin, APT41 likes to “leverage known vulnerabilities to exploit initial access to the victim’s system to execute its malicious code to drop trojans like ShadowPad, PipeMon, etc.” In the case of the breach in March 2022, APT41 made significant use of CVE-2018-13379, a flaw in Fortinet's FortiOS that appeared on the Cybersecurity and Infrastructure Security Agency’s (CISA) most-used exploit lists in both 2020 and 2021.
"Malicious cyber actors will most likely continue to use older known vulnerabilities ... as long as they remain effective and systems remain unpatched," CISA said in its advisory. "Adversaries’ use of known vulnerabilities complicates attribution, reduces costs, and minimizes risk because they are not investing in developing a zero-day exploit for their exclusive use, which they risk losing if it becomes known. "
Old Becomes New:
Of the top vulnerabilities exploited by attackers in 2021, most—11 of 15— issues were reported the same year, according to CISA. The remaining four flaws, however, were disclosed more than year earlier and at least one (CVE-2018-13379) was three years old.
Following the most used vulnerability can also give companies an idea of where future attacks and vulnerability research is headed. Out of 58 in-the-wild exploits discovered in 2021, only two attacked vulnerabilities in a novel way—all the other security issues resembled previously discovered issues, according to Google's Project Zero. Of 18 zero-day exploits discovered in the first half of 2022, nine of the attacks used variants of previous exploits to conduct their attacks, Google stated in another post.
We see a great deal of focus on zero-day attacks in the security world (ArcSight Intelligence is a great solution for this, by the way), but are organizations putting in the work to close old security gaps? According to security incident reports, it appears many are not.
Additional Resources:
Connect With Us:
Have technical questions about Galaxy’s threat intelligence? Visit the Galaxy User Discussion Forum. Keep up with the latest Tips & Info. Do you have an idea or Product Enhancement Request about ArcSight? Submit it in the Idea Exchange. We’d love to hear your thoughts on this blog. Log in or register to comment below.