The hottest trend in ransomware attacks is old news, as major gangs and even APT groups are spending their time seeking out unpatched vulnerabilities from roughly the past decade. A new joint study finds that old vulnerabilities accounted for just over three-quarters of ransomware incidents in 2022, even as organizations scramble to keep up with emerging threats.
Most of the old vulnerabilities that attackers are honing in on are from between 2015 to 2019, but the oldest still being actively exploited was published and patched in 2010. The report finds that this is not a case of “script kiddies” digging up old attacks, but is mostly a phenomenon among advanced attackers who have realized that many organizations are woefully behind on patching and that there is easy money to be made.
Old vulnerabilities back in style as IT departments face mounting backlogs
New vulnerabilities continue to appear and be exploited, but the security experts caution that time should be made to search out old vulnerabilities given these recent trends. Attackers are aware that most organizations are not only swamped with IT security work, but are also managing that load by using CVSS scores as a tool to prioritize what gets patched. The problem here is that many of these old vulnerabilities either do not have a current CVSS score, or were initially assessed with a very low score years ago and have never been updated.
The report also notes that exploitation of these old vulnerabilities most often leads to ransomware attacks, and that the attackers are aware of the coverage amount their targets have and will price their demands accordingly. This speaks to experienced groups favoring this approach, but there is also direct evidence that the number of advanced persistent threat (APT) groups engaging in ransomware attacks is growing. The researchers have seen a 51% increase in APT groups in this space since 2020.
Hackers looking for easier targets during downturn in ransomware attacks
The study examined 56 total vulnerabilities that ransomware attacks exploited in 2022. Over one-third were old vulnerabilities that had been identified, published and patched at some point between 2015 and 2019. A handful of other vulnerabilities dated back a decade or more, and there were many patched vulnerabilities from 2020 and 2021 that remained unaddressed by victims.
The CISA catalog has yet to add 131 old vulnerabilities that have been associated with ransomware attacks. Of these, there are 57 with either “low” or “medium” threat scores that are currently being targeted by ransomware crews. “Kill chains,” which are also not well documented by existing threat scoring systems, are also now available for 81 different pieces of software.
The study’s key takeaway is that scanners and scores cannot cover all threat avenues alone; though it is an added manpower strain in a trying time, old vulnerabilities that re-emerge must be kept on top of and defenses must be layered to fend off ransomware attacks.