As COVID-19 caused widespread panic and threw the world into disarray, cyber-criminals were hard at work trying to take advantage of the situation. From phishing scams to malware-infected websites, there were countless ways for malicious actors to exploit the fear and confusion caused by the pandemic.
While some organizations could weather the storm due to already deployed security measures at different layers, others were racing against time with advanced transformations, ensuring smooth operations. These fast-paced digital and advanced transformations rushed decisions, creating gaps in the security posture. Oversight of cybersecurity in multiple ways only leads towards one concern – an increased attack surface.
It is no surprise that the total number of vulnerabilities identified each year is on the rise. It is important to look at these numbers in terms of severity, affecting CWEs and the associated products impacted due to such flaws.
Vulnerability Analysis
At Cyphere, we analyzed security vulnerabilities throughout the COVID-19 pandemic. This COVID-19 timeline security vulnerability analysis led to a few interesting finds around vulnerability trends by severity, category and affected products.
Throughout the pandemic, around 1600 critical risk vulnerabilities were identified.
The year 2020 saw the highest number (4379) of high-risk vulnerabilities, compared to 4071 high-risk vulnerabilities identified during 2021.
The source data for the above analysis was the National Institute of Standards and Technology (NIST)
Here are the top CWEs from the COVID-19 pandemic in terms of software security vulnerabilities:
- CWE 79 is the most prominent software security flaw since 2018. This is related to improper neutralization of input (cross-site scripting), also included in the OWASP top 10 (A03-injection issues).
- CWE-787, which relates Out of Bound write issues leading to data corruption, crashes or code execution, came second, with 1000-1500 flaws identified yearly since 2018.
- The third CWE relates to CWE-20, indicating lack of input validation was another popular vulnerability. Input validation is often applied to raw data and metadata to ensure the application only allows expected valid input.
How do These Numbers Affect You?
As a user or consumer, it is important to be vigilant and understand the importance of cyber hygiene. Secondly, enterprises must ensure that their digital transformation investments consider cybersecurity an integral part of success.
When a vulnerability is discovered, it is assigned a Common Vulnerabilities and Exposure (CVE) identifier. This is a unique name that identifies a given security issue. Based on the severity and susceptibility to exploits in the wild, vendors often race against time to develop security fixes (patches, updates) to close these issues.
Rising Cyber-Attacks
With cyber-criminals leveraging the opportunity to exploit such flaws, lack of patching often presents a big risk to organizations and sometimes entire industries or internet-wide products. This is how associated products must be proactive in their secure-by-design approach, including rushing to fix security flaws.
Some of the most exploited vulnerabilities during 2021 include:
- Accellion FTA
- Atlassian Confluence
- Apache Log4j
- Citrix products
- Fortinet products
- Microsoft Exchange
- Microsoft Netlogon Protocol (ZeroLogon)
- PulseSecure Connect Secure
- SonicWall products
- VMware vSphere Client
- VMware vCenter
- Zoho ManageEngineAD Selfservice Plus
These are the most exploited products due to critical or high-risk severity flaws providing opportunities for attackers. Successful exploitation of such flaws leads to control over the system or access to internal components that are otherwise controlled with an authentication mechanism.
These products act as boundaries between trusted (internal or corporate networks) and untrusted (internet) zones, providing virtualization capabilities and internal features.
The rise of cyber-attacks is linked to established threat actors, including casual attackers, ultimately coming down to the identified flaws. Attacks have been successful due to either a lack of patching or open opportunities before a patch has been made available by the vendor.
Mitigation Advice
- There is no magic wand that can make all systems impenetrable. However, there are some key actions that you can take to mitigate your risks. As an organization, it is possible that you could be hit with zero-day attacks when a patch is not available; however, your preparation matters. Preparation to reduce the impact of an infected system from further infection, limiting the lateral movements and reducing the impact are all key to reducing the likelihood of an attack, making it difficult for attackers.
- Not to forget the security objectives that keep an organization going, including continuous validation of security controls, triage and risk remediation. Therefore, regular security assessments such as cloud penetration testing, including multi-cloud implementations, and penetration testing of your networks to identify misconfiguration issues, business logic flaws and vulnerabilities.
- Regular vulnerability assessments and threat intelligence to stay on top of your changing attack surface.
- Monitoring endpoints and testing incident response processes are critical to ensure your organization is ready just in case.