A thorough analysis of the 22,254 reported vulnerabilities during the initial seven and a half months of 2024 (up until the research cut-off date of July 21, 2024) reveals that a precise subset of 0.91% (almost 1%) has been weaponized, and a very small fraction accounts for the most severe threats. This subset represents the highest risk, characterized by weaponized exploits, active exploitation through ransomware, threat actors, malware, or confirmed wild exploitation instances.

The analysis also indicates an increase in the weaponization of old CVEs since the onset of 2024. Over the last 7.5 months, there has been a notable increase, slightly over 10%, in the weaponization of older CVEs identified before 2024, which is a stark reminder that cybersecurity is not just about staying ahead but also about not falling behind. Some of these vulnerabilities have been trending on the dark web for months. An example is CVE-2023-43208 NextGen Mirth Connect Java XStream (Qualys Vulnerability Score 95/100), which heavily involves systems used by healthcare organizations.

“This resurgence of previously identified vulnerabilities, which mainly impact remote services and public-facing applications, highlights a significant oversight in updating and enforcing cybersecurity protocols. It emphasizes the need to shift from a purely reactive security posture to a more proactive, predictive, and preventative approach,” commented Saeed Abbasi, Product Manager, Vulnerability Research at Qualys TRU. “By adopting a holistic view that incorporates continuous monitoring, rapid patch management, and a deep understanding of the evolving threat landscape, businesses can significantly reduce their vulnerability to cyberattacks. This strategic foresight will protect critical assets and foster trust and resilience in our increasingly interconnected world.”

Mid-2024’s Most Wanted: Top 10 Exploited Vulnerabilities
In 2024, a select group of vulnerabilities have emerged as particularly prevalent targets for cyberattacks. Qualys ranks vulnerabilities based on their prevalence and impact, integrating multiple factors such as CVSS base scores, exploit code maturity, real-time threat indicators, and evidence of active exploitation, among others, for a comprehensive assessment.

This Top 10 ranking reflects their current significance in the cyber threat landscape. This designation is derived from an analysis incorporating data from over 25 distinct threat intelligence sources utilised by Qualys.

Critical Contenders: Just Missed the Cut
While the top 10 list captures the most crucial vulnerabilities of mid-2024, a few just missed the cut but demanded attention due to their high severity and potential impact. These vulnerabilities are critical for organizations to address immediately.

• CVE-2023-22527 (Atlassian Confluence): This severe remote code execution vulnerability, with a QVS of 95 and a CVSS score of 9.8, allows attackers to run arbitrary code on affected installations.
• CVE-2023-48788 (FortiClient EMS): This SQL injection flaw, which scores a QVS of 95 and a CVSS of 9.8, poses a high risk by allowing attackers to manipulate databases and access sensitive information.
• CVE-2024-24919 (Check Point Security Gateways): This information disclosure vulnerability, although it has a slightly lower CVSS score of 8.6, and a QVS of 95, can leak sensitive data.

All of the above vulnerabilities are listed on the CISA KEV, highlighting their recognized significance, exploitation in the wild, and potential impact. While not included in the top 10, each presents a clear and present danger to network security and requires prompt attention from cybersecurity teams to mitigate risks effectively and protect sensitive systems.

“Adopting a hybrid vulnerability management strategy that combines agent-based and agent-less methods, including network, external, and passive scans, is crucial. This approach is particularly pertinent given that 21.74% of CVEs in the CISA KEV catalogue are actively exploited on network and perimeter devices, underscoring the need for a comprehensive security posture to effectively identify and mitigate vulnerabilities. Organizations must ensure regular updates, diligent patch management, and advanced threat detection systems are in place to mitigate the risks associated with high-critical vulnerabilities,” added Abbasi.

With over 14 million instances worldwide, regreSSHion is severe and critical, especially for enterprises that rely heavily on OpenSSH for remote server management. OpenSSH is known to be one of the most secure software in the world. This vulnerability is a glaring gap in an otherwise near-flawless implementation.

Affected OpenSSH versions:

• OpenSSH versions earlier than 4.4p1 are vulnerable to this signal handler race condition unless they are patched for CVE-2006-5051 and CVE-2008-4109.
• Versions from 4.4p1 up to, but not including, 8.5p1 are not vulnerable due to a transformative patch for CVE-2006-5051, which made a previously unsafe function secure.
• The vulnerability resurfaces in versions from 8.5p1 up to, but not including, 9.8p1 due to the accidental removal of a critical component in a function.
• OpenBSD systems are unaffected by this bug, as OpenBSD developed a secure mechanism in 2001 that prevents this vulnerability.

This vulnerability, if exploited, could lead to full system compromise where an attacker can execute arbitrary code with the highest privileges, resulting in a complete system takeover, installation of malware, data manipulation, and the creation of backdoors for persistent access. It could facilitate network propagation, allowing attackers to use a compromised system as a foothold to traverse and exploit other vulnerable systems within the organization.

Moreover, gaining root access would enable attackers to bypass critical security mechanisms such as firewalls, intrusion detection systems, and logging mechanisms, further obscuring their activities. This could also result in significant data breaches and leakage, giving attackers access to all data stored on the system, including sensitive or proprietary information that could be stolen or publicly disclosed.

This vulnerability is challenging to exploit due to its remote race condition nature, requiring multiple attempts for a successful attack. This can cause memory corruption and necessitate overcoming Address Space Layout Randomization (ASLR). Advancements in deep learning may significantly increase the exploitation rate, potentially providing attackers with a substantial advantage in leveraging such security flaws.

Addressing the regreSSHion vulnerability in OpenSSH, which enables remote code execution on Linux systems, demands a focused and layered security approach. Below are concise steps and strategic recommendations for enterprises to safeguard against this significant threat:

• Patch Management: Quickly apply available patches for OpenSSH and prioritize ongoing update processes.
• Enhanced Access Control: Limit SSH access through network-based controls to minimize the attack risks.
• Network Segmentation and Intrusion Detection: Divide networks to restrict unauthorized access and lateral movements within critical environments and deploy systems to monitor and alert on unusual activities indicative of exploitation attempts.

When Log4Shell was discovered in December 2021, organizations around the world scrambled to determine their risk. In the weeks following its disclosure, organizations significantly reallocated resources and invested tens of thousands of hours in identification and remediation efforts. One federal cabinet department reported that its security team devoted 33,000 hours to Log4j vulnerability response alone.

Tenable telemetry found that one in 10 assets was vulnerable to Log4Shell as of December 2021, including a wide range of servers, web applications, containers, and IoT devices. October 2022 data showed improvements, with 2.5% of assets vulnerable. Yet nearly one-third (29%) of these assets had recurrences of Log4Shell after full remediation was achieved.

“Full remediation is very difficult to achieve for a vulnerability that is so pervasive and it’s important to keep in mind that vulnerability remediation is not a ‘one and done’ process,” said Bob Huber, chief security officer, Tenable. “While an organization may have been fully remediated at some point, as they’ve added new assets to their environments, they are likely to encounter Log4Shell again and again. Eradicating Log4Shell is an ongoing battle that calls for organizations to continually assess their environments for the flaw, as well as other known vulnerabilities.”

Other key findings from the data include:

• 28% of organizations across the globe have fully remediated Log4Shell as of October 1, 2022, a 14-point improvement from May 2022.
• 53% of organizations were vulnerable to Log4j during the time period of the study, which underscores the pervasive nature of Log4j and the necessary ongoing efforts to remediate it even if full remediation was previously achieved.
• As of October 2022, 29% of vulnerable assets saw the reintroduction of Log4Shell after full remediation was achieved.
• Some industries are in better shape than others, with engineering (45%), legal services (38%), financial services (35%), non-profit (33%), and government (30%) leading the pack with the most organizations fully remediated. Approximately 28% of CISA-defined critical infrastructure organizations have fully remediated.
• Nearly one-third of North American organizations have fully remediated Log4j (28%), followed by Europe, the Middle East and Africa (27%), Asia-Pacific (25%), and Latin America (21%).
• Similarly, North America is the top region with the percentage of organizations that have partially remediated (90%), Europe, the Middle East and Africa (85%), Asia-Pacific (85%), and Latin America (81%).

Log4Shell is a remote code execution vulnerability in the Java logging component, Apache Log4J, which is embedded in hundreds of software products. It was reported and patched in December 2021. “Widely used applications such as VMware Horizon that are exposed to the internet and need to be manually updated, are particularly vulnerable to exploitation at scale,” said Sean Gallagher, a senior security researcher at Sophos. “Sophos detections reveal waves of attacks targeting Horizon servers, starting in January, and delivering a range of backdoors and crypto miners to unpatched servers, as well as scripts to collect some device information. Sophos believes that some of the backdoors may be delivered by Initial Access Brokers looking to secure persistent remote access to a high-value target that they can sell on to other attackers, such as ransomware operators.”

The multiple attack payloads Sophos detected using Log4Shell to target vulnerable Horizon servers include:

• Two legitimate remote monitoring and management tools, Atera agent and Splashtop Streamer, likely intended for malicious use as backdoors
• The malicious Sliver backdoor
• The cryptominers z0Miner, JavaX miner, Jin and Mimu
• Several PowerShell-based reverse shells that collect device and backup information

Sophos’ analysis revealed that Sliver is sometimes delivered together with Atera and PowerShell profiling scripts and is used to deliver the Jin and Mimu variants of the XMrig Monero miner botnet. According to Sophos, the attackers are using several different approaches to infect targets. While some of the earlier attacks used Cobalt Strike to stage and execute the crypto miner payloads, the largest wave of attacks that began in mid-January 2022, executed the crypto miner installer script directly from the Apache Tomcat component of the VMware Horizon server. This wave of attacks is ongoing.

“Sophos’ findings suggest that multiple adversaries are implementing these attacks, so the most important protective step is to upgrade all devices and applications that include Log4J with the patched version of the software. This includes patched versions of VMware Horizon if organizations use the application in their network,” said Gallagher. “Log4J is installed in hundreds of software products and many organizations may be unaware of the vulnerability lurking within their infrastructure, particularly in commercial, open-source, or custom software that doesn’t have regular security support. And while patching is vital, it won’t be enough if attackers have already been able to install a web shell or backdoor in the network. Defense-in-depth and acting upon any detection of miners and other anomalous activity is critical to avoid falling victim to such attacks.”