Unpatched Vulnerabilities Remain Primary Ransomware Attack Vector

January 31, 2022 - Threat actors continually leverage unpatched vulnerabilities as their primary ransomware attack vector, a new report by Ivanti in partnership with Cyware and Cyber Security Works found. Researchers discovered 65 new vulnerabilities connected to ransomware in 2021, which signified a 29 percent growth compared to 2020.

Over a third of the 65 newly discovered vulnerabilities were being actively searched for on the internet, further stressing the need to prioritize patching.

“Unpatched vulnerabilities are the main attack vectors that ransomware groups exploit to gain entry into vulnerable networks,” the report said.

“However, our research also identified ransomware groups expanding their focus to not just single unpatched instances but to combinations of vulnerabilities, vulnerable third-party applications, technology protocols, and even insider recruiting as a means to take that first step in launching an attack.”

The Apache Log4j vulnerabilities, which were discovered at the end of last year, brought attention to the potentially catastrophic effects of leaving known vulnerabilities unpatched. In December, HHS urged healthcare organizations to prioritize patching the Log4j vulnerabilities to avoid malicious cyberattacks.

The Ivanti report observed threat actors exploiting zero-day vulnerabilities including QNAP, Sonic Wall, Kaseya, and Apache Log4j, even before they were logged in the National Vulnerability Database (NVD).

“This dangerous trend highlights the need for agility in disclosing vulnerabilities and releasing patches based on priority,” the report noted.

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Department of Homeland Security (DHS), and the National Security Agency (NSA) have continually warned critical infrastructure entities of the potential for devastating cyberattacks if these vulnerabilities are successfully exploited.

“Attacks on critical services such as oil & gas, food, pharmacy, and health care are crippling states and prompting governments to take unprecedented measures,” the report stated.

“The impact of attacks on Colonial Pipeline, JBS Meat Packers, Oldsmar’s (Florida) water plant, and Springhill Medical Center was severe, and people on the streets were affected by these attacks. The unprecedented impact of these attacks compelled the US government to issue warnings that any further attack on critical sectors would be considered as ‘acts of war.’”

In addition to zero-day attacks on critical infrastructure, researchers observed an increase in supply chain cyberattacks. The Colonial Pipeline attack in May spurred government action and put critical infrastructure entities on high alert after disrupting the US fuel supply chain.

Researchers also observed notable instances of ransomware groups targeting legacy or end-of-life products. This discovery is particularly troubling for the healthcare sector, which often relies on legacy systems to provide critical services. Specifically, many medical devices are at the end-of-life stage and can no longer be patched but are still vital to providing patient care.

The report suggested that organizations shift their vulnerability patching approach accordingly.

“It is important to look beyond the NVD and keep an eye out for vulnerability trends, exploitation instances, vendor advisories, and alerts from security agencies while prioritizing the vulnerabilities to patch,” the report advised.

“Exploitation trends are becoming more sophisticated and impactful, with ransomware groups exploiting vulnerabilities within days of being identified.”

Researchers noted the importance of prioritizing patches, even if those patched vulnerabilities lead to new inefficiencies as new access points are identified.