TOO SOON TO PATCH? – TIMESPAN FROM EXPOSURE TO ATTACK

This is an excerpt from the SenseCy 2017 Annual Report. To receive the full version of the report, please contact us at CyberThreat.Insider@verint.com

In the past year, the number of disclosed vulnerabilities (14,712) reached an all-time peak in all of cyber-history – twice as high as the two previous years: 6,480 vulnerabilities were discovered in 2015, and 6,447 in 2016.  A tremendous number of systems, hardware and firmware was found to be vulnerable, and many of the flaws can have severe consequences and open the front door to hacking into high-profile networks.

When it comes to fixing bugs, it can take time from the discovery of the vulnerability until the manufacturer issues a patch. However, the main issue with vulnerability patching is not the vendor’s domain, but lies within the company’s remediation gap – i.e. the protracted amount of time it takes to implement the patch in the company’s systems.

According to a 2015 Kenna Security’s Remediation Gap report, most companies take an average of 100-120 days to patch vulnerabilities, while the probability of a vulnerability being exploited hits 90% between 40-60 days after discovery. These numbers translate into avoidable security incidents where attackers exploit vulnerabilities that had been patched weeks and sometimes months before the attack.

In the SenseCy 2017 Annual Report, we chose to inspect exploit-based attacks in terms of the time it takes from the disclosure of the vulnerability through the development of a suitable exploit, which frequently takes place on underground hacking communities, to its usage in the wild. A better understanding of this time frame and its fluctuations may assist organizations in their vulnerabilities-mitigation plan and mark the critical time point after which the risk of attack on an unpatched system increases exponentially.

From the moment a vulnerability is disclosed (particularly in cases where widely-used systems are exposed), threat actors race to exploit the development, either for personal use or for trading on Dark-Web forums and marketplaces. This process, which we call “Time-to-Exploit”’ comprises three stages:

“The Disclosure” – the moment when the vulnerability is first published publicly, either by a security researcher or a vendor.

“The Weaponization” – when we first spot an exploit for the disclosed vulnerability circulating on underground hacking communities. In some cases, PoC codes provided by researchers as part of the disclosure process are used as a basis for more sophisticated exploits.

“The Exploitation” – the actual attack in which the exploit is used for malicious purposes.

For the scope of this research, we chose to observe the process of “time-to-exploit” via the examination of five vulnerabilities, discovered and exploited over the course of 2017. For each vulnerability, we attempted to identify the exact timing of the three aforementioned stages, to estimate the gaps between them.

For instance, when looking on the SambaCry vulnerability (CVE-2017-7494), we discovered a time span 6 days of from the vulnerability exposure to in-the-wild attack.

1

CVE-2017-7494 is a remote code execution vulnerability in Samba software that allows a malicious actor to upload a shared library to a writable share, and then causes the server to load and execute it.

The vulnerability was publicly disclosed on May 24, 2017. The same day, a PoC exploit for the vulnerability was published. We identified conversations about the vulnerability on underground sources from May 24, 2017.

2
A discussion regarding CVE-2017-7494 from a Spanish-speaking hacking forum. Source: Verint DarkAlert

The malicious exploitation of this vulnerability was first observed on May 30, 2017, when it was used as part of a campaign for cryptocurrency mining. The exploit served to download a utility for mining the open-source cryptocurrency, Monero.

3
An exploit for CVE-2017-7494 is shared on an underground marketplace. Source: Verint DarkAlert

A later attack incorporating this exploit took place on July 3, 2017, when malware dubbed SHELLBIND targeted network-attached storages (NAS) and other IoT devices.

RESEARCH CONCLUSIONS

Our research demonstrated an average period of just one week in most of the cases examined from the discovery of the vulnerability, thorough the development and trade in suitable exploits, until its exploitation in the wild. Shorter periods of only two days from disclosure to exploitation were also found, demonstrating the urgency of patching the systems as soon as possible.

However, a much longer time to exploitation was also evidenced, as in the case of
CVE-2017-8759, when the first attacks exploiting this vulnerability ostensibly occurred approximately nine weeks after it was disclosed (excluding 0-day attacks before the disclosure). Here, we must take into consideration the limitations of the research, as we could only examine attacks reported in the press. Other attacks may have taken place much closer to the time of the disclosure of the vulnerability but were not discovered or reported.

During our research, we identified high motivation among cybercriminals to exploit discovered vulnerabilities, especially when they were found in widely used software, such as Microsoft Office. Discussions regarding published vulnerabilities were found to occur mere hours after the public disclosure of the vulnerability, including sharing the PoC exploits code, offering ways for its modification and trading in self-developed exploits. Depending on the complexity of the vulnerability, it took cybercriminals just days to develop exploits once the vulnerability was discovered.

To summarize, this research indicates that while immediate patching is always the best solution, the maximum delay an organization can allow is 4-5 days from the disclosure of the vulnerability. From this moment, the risk of attacks exploiting the vulnerability increases exponentially, as malicious actors have already had sufficient time to arm themselves with exploits circulating on the Dark Web.

This is an excerpt from the SenseCy 2017 Annual Report. To receive the full version of the report, please contact us at CyberThreat.Insider@verint.com


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s