High Profile Global Vulnerabilities
The following list of top vulnerabilities is based on data collected by the Check Point Intrusion Prevention System (IPS) sensor net and details some of the most popular and interesting attack techniques and exploits observed by CP<R> in 2022.
ProxyShell vulnerabilities
(CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207)
This is the name given to an attack-chain which exploits three vulnerabilities in Microsoft’s Exchange Server. Combining these vulnerabilities allows unauthenticated attackers to perform Remote Code Execution (RCE) on vulnerable servers. All three vulnerabilities have been reported and patched in 2021 they remain at the top of the most exploited vulnerabilities list even in 2022. Some of the reasons for their popularity with attackers are their simple exploitation, the prevalence of MS Exchange servers with government and large businesses and the fact they were thoroughly analyzed, and discussed by researchers. Check Point data shows that 21% of our customers have been impacted with ProxyShell attempts in 2022. ProxyShell vulnerabilities have been exploited for a variety of motivations including by financially motivated threat actors to deploy ransomware, for espionage in the Middle East and Africa and by Iranian APT entities to gain access to American, Australian, Canadian and UK entities. Check Point Incident Response Team (CPIRT) investigations found ProxyShell exploitations in one in every six attack cases. Together with ProxyLogon and the recently reported ProxyNotShell, these MS Exchange vulnerabilities constitute a significant attack surface, frequently exploited in the wild, often resulting in major breaches.
Follina in Microsoft Office (CVE-2022-30190)
Reported in May 2022, this vulnerability in Microsoft Support Diagnostic Tool (MSDT) is exploited using Microsoft Office documents. Microsoft has gone a long way in their effort to reduce attacks utilizing office documents by disabling macros in documents from external sources. Exploiting the new Follina vulnerability, attackers are now using specially crafted .docx and .rtf documents to download and execute malicious code even in Protected Mode and when macros are disabled. Despite Microsoft’s mitigation efforts, threat actors have exploited Follina in unpatched systems to deploy Qbot, and other RATs, making Follina one the most frequently used vulnerability discovered in 2022 contributing to the popularity of malicious office docs.
Fortinet CVE-2022-40684 and CVE-2022-42475
Two critical bugs reported in October (CVSS score: 9.6) and December (CVSS score: 9.3) in Fortinet products allow unauthenticated attackers to execute arbitrary code via specially crafted requests. The company notified of in-the-wild exploitations and issued updates while CISA warned of significant risk to the federal enterprise. Exploitation attempts of CVE-2022-40684 in the last 3 month impacted 18% of organizations.
New vulnerabilities discovered and reported in 2022 have been quickly weaponized and used by threat actors this year. Compared to only 2% of attacks in 2021 using same-year vulnerabilities, this year they were observed in 6% of the attacks monitored by Check Point. In addition to the vulnerabilities reviewed above, the Atlassian Confluence RCE (CVE-2022-26134) and F5 BIG IP (CVE-2022-1388) reviewed in our midyear report contributed their share to new exploitation attempts. Our data shows that vulnerabilities reported in the last three years made up 24% percent of exploitation attempts compared to only 18% in 2021. This indicates an upgrade in threat actors’ competence and integration ability, especially manifested in cloud based attacks, with 27% of the attacks leveraging new vulnerabilities (2020-2022).
Exploitation of older vulnerabilities continued with widely used 2017 CVEs including, Apache Struts2 Remote Code Execution (CVE-2017-5638) which is used by botnets and the PHPUnit remote code execution (CVE-2017-9841), still used to exploit vulnerable WordPress plugins. Information collected by the CPIRT (Check Point Incident Response Team) shows the proportion of newly reported vulnerabilities in successful attacks is even higher, with the ProxyShell vulnerabilities alone used in 17% of investigated cases. This demonstrates that while 4-5 year old vulnerabilities’ exploitation attempts are widespread, successful attacks more often rely on newly discovered flaws, exploited before patched. The “long tail” phenomenon of vulnerability exploitation persists, with 50% of attacks in the wild targeting vulnerabilities reported before 2017. These are mostly less effective and used by less advanced attackers. These findings once again highlight the importance of timely system patching.