Edgescan, a full-stack vulnerability management service, has just released their Vulnerability Stat Report for 2021, and it’s confirmed that 2020 really was as bad as we all thought it was. The stats report reveals a number of alarming statistics and trends from 2020, taking a deep-dive into vulnerability metrics from known vulnerabilities (CVE), Malware, Ransomware and visibility standpoint (exposed services). The data used in the report has been compiled by Edgescan from the thousands of global security assessments it performed throughout the past year using its vulnerability management service.
Unsurprisingly, the pandemic has taken a toll on IT systems and due to an increase in remote working since the pandemic remote desktop (RDP and Secure Shell (SSH) exposure increased by as much as 40% in 2020. Edgescan reported that of the one million public-facing Internet endpoints mapped in 2020, a shocking 21,070 appeared to have an exposed database system. These exposed systems made many companies vulnerable to malware and resulted in a substantial rise in the number of vulnerabilities discovered. The most common CVE discovered last years was Logjam (CVE-2015-4000), a vulnerability with cryptosystems using Diffie-Hellman key exchanges of certain key strengths, facilitating man-in-the-middle attacks.
One of the most commonly discovered critical risk CVE’s found in 2020 was CVE-2018-0598, an untrusted search path vulnerability that allows attackers to gain privileges via a Trojan horse DLL in an unspecified directory. CVE-2015-5600, an OpenSSH vulnerability, and CVE-2019-0708, also known as BlueKeep, the critical bug behind the Wannacry attack of 2018, were the two other most commonly found high critical risk CVEs. BlueKeep (CVE-2019-0708) was also the most frequently occurring CVE’s accounting for almost 30% of malware and ransomware related CVE’s. CVE-2017-0143 was another frequently occurring CVE making up a quarter of all CVE’s detected by Edgescan, while CVE-2017-5638 was the third most commonly recurring CVE.
Most of the frequently occurring CVE’s were located on non-internet facing systems, indicating that there is a cultural trend not to focus on internal vulnerabilities. This type of trend could result in a ransomware/data exfiltration due to a phishing email or a social engineering attack which it unfortunately did. Edgescan found that ransomware increased as a result of end-user attacks, and when coupled with phishing attacks, the total reached almost 50% in 2020. These unpatched vulnerabilities and ransomware attacks have cost already struggling organizations roughly $20 billion, which is a large increase compared to $11.5 billion in the previous year and $8 billion in 2018.
Furthermore, it is also important to note that many of the more common CVE’s were between 1 and 3 years old despite mitigations/patches being available for these vulnerabilities, with almost a third of CVE’s being identified in 2015 or earlier, and the oldest vulnerability discovered in 2020 being 21 years old. These outdated and unpatched vulnerabilities are understandably being taken advantage of by malware with 13.4% of all critical risks discovered in 2020 related to unpatched, unsupported or out-of-date systems. These statistics demonstrate that a number of attacks can be avoided simply by updating systems and patching outdated vulnerabilities.
“We still see high rates of known (i.e. patchable) vulnerabilities which have working exploits in the wild, used by known nation-states and cyber-criminal groups. So yes, patching and maintenance are still challenges, demonstrating that it is not trivial to patch production systems”, said Eoin Keary, CEO and founder of Edgescan. He went on to say that “the web application layer is where the majority of risk still resides, but some lower layer (Host/Operating system/Protocol) issues, if discovered, could also present headaches if exploited. CVE’s as old as 2015 are being used by ransomware and malware toolkits to exploit systems within “the perimeter“.
Overall, the report has shown that a lack of attention is being paid to patching vulnerabilities.
Although in many cases high and critical risk issues can be more complex and difficult to fix, at other times it can be a simple patch or system configuration tweak. Remediation rates have risen with organisations taking an average of 84 days to remediate high-risk vulnerabilities, while the average remediation time was 60.3 days, making it clear that by faster actions and simple solutions, breaches could be avoided.
As always, the report is very helpful in demonstrating that simple steps can be taken in order to protect thousands of companies, as Eoin Keary said, the report “gives a unique insight into what’s going on from a trends and statistics perspective and indeed a snapshot of the overall state of cybersecurity. [It] has become a reliable source for truly representing the global state of cybersecurity vulnerability management,” and we must take heed of the trends found in 2020 as we move forward into 2021.