Cyber criminals use old unpatched vulnerabilities

Cyber security researchers at California-based company Qualys published a report in which they analyzed Common Vulnerabilities and Exposures (CVEs). The results showed mostly those used in ransomware attacks over the past years. The interesting thing was that most of the often-used vulnerabilities were those that have been left unpatched.

“The rate at which vulnerabilities are rising is exponentially higher than the rate at which operations teams are patching. This is the number one driving factor for why vulnerabilities remain unpatched,” Shailesh Athalye, SVP of product management at Qualys, told in an interview with ZDNet.¹

Obsolete vulnerabilities remain unpatched

Basically, security teams often do not have time for many vulnerabilities at one time. They simply get overwhelmed with the amount of work, especially if it’s a big company. Cyber attackers know this and actively seek for such old unpatched vulnerabilities. Still, cyber security specialists argue that those commonly known vulnerabilities should be attained first to.

According to the report, the top vulnerability which has the longest history of exploitation is CVE-2012-1723. Cyber security specialists found it in the Java Runtime Environment (JRE) component in Oracle Java SE 7. First detected in 2012 hackers used it to distribute Urausy ransomware. Although this particular ransomware can do not so much harm, some organizations are still vulnerable to this.

Two other detected vulnerabilities date back to 2013. They are CVE-2013-0431 and CVE-2013-1493. First one was exploited on the JRE by Reveton ransomware, the second one is on Oracle Java by Exxroute ransomware. For both vulnerabilities patches to fix them have been ready for over eight years. CVE-2018-12808 is another vulnerability that has been present in Adobe Acrobat for three years. Hackers used it to deliver ransomware via phishing emails and malicious PDF files. Conti and Ryuk ransomware both exploited this vulnerability.

Recent vulnerability CVE-2019-1458 created privilege escalation in Windows. Cybersecurity specialists detected it in December 2019 and linked its exploitation to the NetWalker ransomware group.

How do ransomware distributors use old exploits?

Without a doubt, the ransomware criminal ecosystem is on the rise in 2021. In the report of the 2020 CrowdStrike Global Security Attitude Survey, 56% of organizations worldwide fell victims to a ransomware attack in 2020. Out of these organizations, 27% of them chose to pay their ransoms and it amounts on average $1.1 million per case. Ransomware still is one of the high-priority threats in 2021. The loudest cases in the first quarter of the year report demanding up to $50 million – and they got this sum. Another family asked for €70 million, but the victim company ignored their demands.

Cyber security specialists also noticed that hackers use a “double extortion” model. They encrypt the victim`s data and also demand additional payment incentives to add pressure. Some hackers threaten to publish or auction the data unless payment is made.

1. ZDNet report on old exploits that are still in use