Dive Brief:
- Published vulnerabilities in the first half of 2020 grew to 786, compared to 583 during the same time period last year, according to Trend Micro's midyear cybersecurity report. Bad actors most often targeted enterprise software, including Apache Struts and Drupal frameworks, between 2017 and the first half of 2020, according to the report.
- Critical and high-severity flaws "made up the bulk" of the disclosed vulnerabilities, according to the report. There were at least 547 high-severity and 121 critical vulnerabilities in H1 2020, compared to 335 and 40, respectively, in H1 2019.
- Microsoft's Patch Tuesday increased to an average of 102.7 fixes a month since January. The average number of monthly patches in 2019 was 72. Though January had the fewest patch updates, Microsoft fixed the most critical one: CurveBall.
Dive Insight:
COVID-19 presented cybercriminals with a buffet of misinformation and public crises to create cyberattacks with. But exploitation linked to outdated platforms or technologies is as much of a threat as the latest iteration of phishing schemes.
Trend Micro's 2020 predictions before the pandemic reached critical mass "got thrown out" and instead found what malicious actors were taking advantage of was "different from what we expected," said Jon Clay, director of global threat communications at Trend Micro.
In May, the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency declared flaws in Microsoft's Object Linking and Embedding and Apache Struts as two of the most exploitable technologies for cybercriminals.
"Either Microsoft has decided to just do a massive amount of code-checking, and they're finding tons of vulnerabilities in their code," or they are performing extra due diligence on older OS in embedded systems, said Clay. At least one-fifth of OS users rely on Microsoft Windows 7, according to the report, despite support ending in January. "There's still XP out there," said Clay.
Some organizations don't have the ability to comb through technologies due to financial restraints or sheer quantity of devices, such as medical devices, that rely on older OS and swap them out. Clay worked with an international hardware store owner that kept having an old strain of 2008 malware infect his devices. The store owner couldn't find the entry point, and it spread across his systems with every infection.
When a network scanner was dropped in systems, looking for the "IP that was spewing out" the malware, it found the source: the machine used to mix paint colors. The hardware store owner contacted the machine's manufacturer asking for a patch.
"That's what you're going to see out there for years to come with Windows 7," said Clay. The risk of older systems challenging the security of a company as a whole is a job for asset management. However, "some of these devices on your network, that are running Windows 7, a lot of organizations don't have the capability of doing a lot of their asset management, scanning to figure out what's on their network."
Many companies rely on their solutions providers like Microsoft to dig into software, or rely on bug bounty programs to find flaws, but it's not a perfect science, especially with 2020's dramatic increase in threats.
Between January 2017 and June 2020, cybercriminals targeted the Apache Struts Multipart Encoding Command Injection Vulnerability nearly 8 million times. The Pulse Secure Pulse Connect Secure Directory Traversal Vulnerability, a flaw CISA issued warning for in May, was targeted more than 650,000 times during the same timeframe.
The influx of high-severity and critical bugs, "is a two-edged sword," said Clay. While it's rewarding to find flaws before bad actors do, "it's also a bit scary to see those types of bugs still being found in software."