Hackers were much faster to exploit software bugs in 2021, with the average time to exploitation down from 42 days in 2020 to just 12 days.
That marks a 71% decrease in ‘time to known exploitation’ or TTKE, according to security firm Rapid7’s new 2021 Vulnerability Intelligence Report. The main reason for the reduction in TTKE was a surge in widespread zero-day attacks, many of which were used by ransomware gangs, according to the company.
As Rapid7 notes, 2021 was a grim year for defenders, which kicked off with the SolarWinds Orion supply chain attack which was pinned on Russian state-sponsored hackers. The year ended with the very different Apache Log4j flaw, which had no obvious main attacker but was spread across millions of IT systems.
Google’s Threat Analysis Group (TAG) and Project Zero researchers also have also observed an uptick in zero-day attacks, where attackers are exploiting a flaw before a vendor has released a patch for it.
Rapid7 tracked 33 vulnerabilities disclosed in 2021 it considered to be “widespread”, an additional 10 that were “exploited in the wild”, and seven more where a threat was “impending” because an exploit is available. The company recommends patching impending threats today.
Rapid7’s list excludes browser flaws because they’re already well-covered by Google Project Zero’s zero-day tracker. Instead, Rapid7 focusses on server-side software, meaning its dataset under-represents zero-day exploitation detected in 2021, it said.
Rapid7 highlights several startling trends. For example, in 2021, 52% of widespread threats began with a zero-day exploit.
What’s “unusual and wildly alarming” about this trend, it said, is that these attacks aren’t just highly targeted ones, as was the case in 2020. Instead, last year 85% of these exploits threatened many organizations rather than just a few.
Rapid7 blames much of this trend on the proliferation of affiliates supporting the ransomware industry, which is now dominated by the ransomware-as-a-service model. Last year, 64% of the 33 widely exploited vulnerabilities are known to have been used by ransomware groups, it noted.
Its 2021 “widespread” list includes enterprise software from SAP, Zyxel, SonicWall, Accession, VMware, Microsoft Exchange (the ProxyLogon bugs), F5, GitLan, Pulse Connect, QNAP, Forgerock, Microsoft Windows, Kaseya, SolarWinds, Atlassian, Zoho, Apache HTTP Server and, of course, Apache Log4j.
These flaws affected firewalls, virtual private networks (VPNs), Microsoft’s email server, desktop operating system and cloud, a code sharing platform, remote IT management products, and more.
Many of the bugs were exploited at a time when most people were still remote working and relying on remote access and VPNs to connect to work.
It does however note a few bright spots in 2021, including the US Cybersecurity and Infrastructure Security Agency’s (CISA) frequently updated Known Exploited Vulnerabilities Catalog and its binding directive for federal agencies to patch flaws within a certain timeframe. Also the main reason the security industry can measure such a spike in zero-day attacks is because zero-day exploits are being detected and analyzed quicker.