Vulnerability exploits, not phishing, are the top cyberattack vector for initial compromise

Breaches involving phishing and credential compromise have received a lot of attention in recent years because of how frequently threat actors have employed the tactics in executing both targeted and opportunistic attacks. But that doesn’t mean that enterprise organizations can afford to lessen their focus on vulnerability patching one bit.

A report from Kaspersky this week identified more initial intrusions last year resulting from exploitation of vulnerabilities in Internet-facing applications than breaches involving malicious emails and compromised accounts combined. And data the company has collected through the second quarter of 2022 suggests the same trend might be playing out this year as well.

Kaspersky’s analysis of its 2021 incident-response data showed that breaches involving vulnerability exploits surged from 31.5% of all incidents in 2020 to 53.6% in 2021. Over the same period, attacks associated with the use of compromised accounts to gain initial access declined from 31.6% in 2020 to 17.9% last year. Initial intrusions resulting from phishing emails decreased from 23.7% to 14.3% during the same period.

Exchange Server Flaws Fuel the Exploit Frenzy

Kaspersky attributed the surge in exploit activity last year as likely tied to the multiple critical Exchange Server vulnerabilities that Microsoft disclosed, including a set of four zero-days in March 2021 known as the ProxyLogon flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065). When chained together they allowed attackers to gain complete remote control over on-premises Exchange Servers.

Attackers — which included organized criminal gangs and state-sponsored groups from China — quickly exploited tens of thousands of vulnerable Exchange Server systems and dropped Web shells on them before Microsoft could issue a patch for the flaws. The vulnerabilities evoked considerable concern because of their ubiquity and severity. They even prompted the US Department of Justice to authorize the FBI to take the unprecedented step of proactively removing ProxyLogon Web shells from servers belonging to hundreds of organizations — in most cases, without any notification.

Also driving the exploit activity in 2021 was another trio of Exchange Server vulnerabilities collectively labeled ProxyShell (CVE-2021-31207, CVE-2021-34473, CVE-2021-34523) that attackers used extensively to drop ransomware and in business email compromise (BEC) attacks.

More than a year later, the ProxyLogon and ProxyShell vulnerabilities continue to be targets of heavy exploit activity, says Konstantin Sapronov, head of Kaspersky’s Global Emergency Response Team. One of the most severe of these flaws (CVE-2021-26855) has also been the most targeted. Kaspersky observed the vulnerability — part of the ProxyLogon set — being exploited in 22.7% of all incidents involving vulnerability exploits that it responded to in 2021, and the flaw continues to be a favorite among attackers this year as well, according to Sapronov.

Same Exploitation Trend Likely Playing Out in 2022

Even though several serious vulnerabilities have surfaced this year — including the ubiquitous Apache Log4j vulnerability (CVE-2021-44228) — the most exploited vulnerabilities of 2021 remain very prevalent in 2022 as well, Sapronov says, even beyond the Exchange server bugs. For instance, Kaspersky identified a flaw in Microsoft’s MSHTML browser engine (CVE-2021-40444, patched last September) as the most heavily attacked vulnerability in the second quarter of 2022.

To read the complete article, visit Dark Reading.