According to a new study, the administrators of large network resources have very little time to protect themselves from new security gaps in their systems. As soon as information on new vulnerabilities is published online, the perpetrators start searching for them within 15 minutes. This is not the case for professionals. Primary data can be collected by amateurs who then sell the collected information on the Dracknet.
According to Incident Response Report 2022 of Unit 42, hackers keep an eye on safety announcements by developers and researchers that relate to the detection of vulnerabilities.
The first attempts to exploit the new vulnerabilities begin to occur within hours of public disclosure, allowing the intruders to gain access to the resources under attack before corrective patches are installed. As an example, hackers ' responses to the vulnerability of CVE-2022-1388 in BIG-IP F5 products were reported on 4 May 2022 and 2552 attempts to scan and exploit vulnerability were recorded 10 hours after publication.
In the first half of 2022, ProxyShell reported that the most exploited vulnerabilities to access systems were the ProxyShell exploding chain, which accounted for 55% of all reported cases of forced entry. ProxyShell is an attack that combines three vulnerabilities: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207.
It's funny to note, but, Log4Shell, it's only in second place with 14%. Another 7% of the attacks are SonicWall, 5% are ProxyLogon, and RCE in Zoho ManageEngine ADSelfServe Plus has been used in 3% of cases. It's not difficult to notice that most of the attacks are not quite new vulnerabilities. Technology is already developed and does not require much skill. But this does not mean that new vulnerabilities are conditionally safe. First of all, these are holes in the most secure systems, the administrators of which respond most rapidly to threats. It is these systems that attack professional hackers in the early hours in the hope of a late response from administrators.
As for the first entry into vulnerable systems, about a third of the cases are in software holes. Fisching allows 37% of the break-ins to enter. Another 15% are in total "rust" entry and the compromising of accounting data. Social engineering and bribery methods give another 10% of the entrances. This means that the race over time in fixing the patches is important only for serious networks, while ordinary users split up with confidential data mainly by negligence or neglect.