Understanding the impact and relevance between public vulnerabilities and their weaponization into threats such as different types of malware’s is important to understand the level of investment and the type of focus that is needed for vulnerability management.
Setting the Context
Often malware is associated with brute force attacks such as compromised credentials to gain access to systems. While account compromise is certainly one of the vectors there are many others vectors to get the initial foothold. Planting a malware can be a multi-step process as reaching to the intended target might involve multiple hops between systems. These steps can be broadly classified as the payload delivery and payload execution. Payload execution can be done as part of local user or service accounts or in more sophisticated attacks managed remotely via a C&C setup.
Over the last ~4 years, the malware distribution looks something as below,
We will analyze each of the categories starting with weaponized CVE’s.
CVSS Score as just one indicator
Data shows that nearly 58% of all weaponized CVE’s have a CVSS score less than 8.
That holds roughly true for even the top exploited vulnerabilities as shown by the table below. The reasoning is pretty simple to understand. While CVSS score is certainly relevant for the specific vulnerability, rarely does it happen that a single CVE results in its entirety contributes to the malware composition. Usually it’s a bunch of factors including misconfigurations, permission issues, public vulnerabilities , phishing attempts that play in the degree of success for a malware attack.
The question is, by patching all the relevant public vulnerabilities can we come close to shut a window on one of the avenues that the attackers are finding useful ? If yes, predicting those "relevant" vulnerabilities instead of purely relying on the CVSS score would be important.
AI / ML Prediction
NVD has published ~85K vulnerabilities over ~3 years or so , however the rate of growth for unstructured content such as blogs, mailing lists , GitHub , including those that publish vulnerability reports that do not find a record in NVD , has been explosive.
ML based prediction has therefore become the need of the hour to not just make broader sense of content via ML techniques like NLP and NER but also use trained models to predict scores as well as predict the “likelihood of an exploit getting published”
ThreatWorx Attenu8 does exactly that and retrains models on an on-going basis as newer data emerges. Over ~3K vulnerabilities have been analyzed so far by ThreatWorx Attenu8 with ~90% accuracy predicting CVSS scores for vulnerabilities that weren’t analyzed or have no information available in NVD ( using unstructured content ), as well as predicting the likelihood of an exploit getting published for these vulnerabilities.
Older the better
Heavy focus on zero day, high severity vulnerabilities means the growing vulnerability backlog leaves out medium risk vulnerabilities. These remain unpatched for widely deployed software like MS Office, Windows, Weblogic, Apache, Cisco and other VPN software. This provides a perfect exclusive set of vulnerabilities that can be targeted for malware.
The graphic below indicates the most common challenge with CVSS based prioritization. With purely CVSS based prioritization the attackers gets blocked to an extent including weaponized vulnerabilities that have high CVSS scores,
however those only constitute around 42% of vulnerabilities ( CVSS score > 8 ), the vast majority of those that play a part in malware exploitation fly below the radar remaining unpatched.
There have been over 875 different malware families in action. TrickBot, Cobalt Strike, QakBot, Agent Tesla, XMRig, njRat , Emotet, Ryuk , a number of Trojans that specifically target Win32 systems. Out of these ~150 malware families are directly dependent on ~300 known public vulnerabilities targeting government agencies, energy , defense, finance , manufacturing and technology verticals of the industry. Most recent of one such malware family is for Derusbi which uses an old MS Office vulnerability ( CVE-2017-0199 ).
However the one that really provides a great example of some of the points discussed above is the one called, Pay2Key Ransomware. Pay2Key Ransomware uses a bunch of CVE’s ( CVE-2019-11510 exploiting weakness in a VPN software , also used widely in some healthcare providers , CVE-2018-13379 exploiting weakness in Fortinet Fortios , CVE-2019-19781 exploiting Citrix ADC and Gateway, CVE-2020-5902 which exploits a F5 BigIP RCE vulnerability and CVE-2019-1579 which exploits RCE in Pan-OS).
- 4 out of 5 CVE's are rated below CVSS score 8 ( i.e not Urgent )
- The CVE’s go back as far back in time as May 2019 ( initial disclosure ), which means the systems that were affected remained unpatched for over a year and half.
There cannot be a better example in the recent times that demonstrates the need for better signals for prioritization.