Cybercriminals have been exploiting vulnerabilities for years, and each year a new list of common vulnerabilities and exposures (CVEs) is tallied by the National Vulnerability Database (NVD). It’s a daunting compilation, with dozens being added each day and the totals more than 20,000 each year in 2022 and 2023.
But vulnerabilities only tell part of the story. What’s more important is whether cybercriminals are taking advantage of them. And even more critical for individual organizations is to understand 1) is a CVE likely to target them? and 2) can they quickly act to block the opening before it’s too late?
In our new report State of the Underground 2024, we noted some good news around vulnerabilities. In 2023, the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Catalog of Known Exploited Vulnerabilities listed only 188 new exploited vulnerabilities, a 66% drop from the 2022 total of 556. That’s a stark turnaround from the 2021 to 2022 exploited vulnerabilities trend, which showed exploited vulnerabilities increasing by 44%.
Still, there’s not necessarily a correlation between the decline in new exploited vulnerabilities and the total number of attacks using CVEs or the severity of those attacks. The CISA Catalog of Known Exploited Vulnerabilities essentially says, “Threat actors are entering through this hole.” It doesn’t say how many are doing so, whether holes that they’d ignored in the past are being exploited again, who’s likely to be affected by the intruders, etc.
Getting a handle on CVEs and the dangers they pose
To help organizations understand the impact an exploited vulnerability can cause, the NVD created the Common Vulnerability Scoring System (aka CVSS scores), which provides a numerical (0-10) representation of the severity of a specific vulnerability. The issue with CVSS scores is that they tend to be static – a one-time record of a threat to note. This leads to two problems for those who need to protect their organizations. First, with an overwhelming number of CVEs and exploited vulnerabilities to be mindful of, it’s all but impossible to have an effective strategy to keep their organizations safe. Second, if the information isn’t continually updated with other useful data, an organization may be hit before they realize that they’re in danger.
Cybersixgill’s Dynamic Vulnerability Exploit (DVE) Intelligence is designed to help our customers overcome these problems. The technology refines vulnerability assessment and prioritization by correlating asset exposure and impact severity data with real-time vulnerability and exploit intelligence.
Cybersixgill monitors the intent and behaviors of cybercriminals by gathering information from the deep, dark, and clear webs. This results in a comprehensive understanding of the likelihood that a vulnerability will be exploited in the next 90 days – just hours after a CVE is first published with a score that is updated in real time.
The limitations of the CVSS score
To understand the gap between Cybersixgill’s comprehensive, dynamic system and the standard CVSS scores, consider this list of what we rated as the top 10 CVEs in 2023, as shown in the State of the Underground report.
Note that Cybersixgill ranked all of them as more hazardous to organizations than CISA did, some of them significantly more so. The most critical of all the CVEs is the first one – a vulnerability affecting the MOVEit Transfer web application – that ranked a 10 in Cybersixgill’s list but only 9.1 in the list compiled by CISA. This vulnerability allowed attackers to access the MOVEit Transfer database from its web application without authentication. And they did so quite extensively. More than 200 organizations worldwide were targeted, including government agencies, financial institutions, healthcare providers, and tech companies. Millions of personal and financial records were stolen, and several federal agencies were affected, including the Department of Energy, Department of Agriculture, and Department of Health and Human Services.
The CVE was first disclosed on May 31, 2023, and MOVEit’s vendor released a patch the following day. But the vulnerability had been exploited by cybercriminals before its disclosure, so organizations were advised to perform forensic analysis of their servers to see if they’d been compromised.
Putting the data to use
Of course, it’s not enough just to have a more accurate score. A security team needs to know if the CVE would be relevant to them and then have instructions on how to remediate the vulnerability.
Cybersixgill’s DVE Intelligence scans a company’s attack surface for assets, CVEs, and Common Platform Enumerations (CPEs) that pose the most significant risk to the organization. It also maps CPEs to CVEs to reduce false positives and maps CVEs to MITRE ATT&CK tactics and techniques to provide higher-level insights into the attackers’ objectives. And it delivers instructions, remediation information, and links to the DVE interface to dramatically reduce Mean Time to Remediate.
To learn more about the trends in CVEs and other underground cybercrime trends, download a copy of the State of the Underground 2024. To see how Cybersixgill can help your organization, schedule a demo to see it in action.