2022’s Top Cyber Attack Themes Threats

SOURCE: Horizon3.ai

Researchers with Horizon3.ai have exposed the attack themes and threats that dominated 2022 news cycles and consumed organizational resources in the newly issued “Year in Review 2022: Through the Eyes of the Attacker.”

Extensive testing revealed that the three main causes behind the exploitable weaknesses, vulnerabilities and misconfigurations that arose most frequently throughout 2022 over the past year were:

Credential policies that are either too weak, or are unenforced. Most often, attackers don’t “hack” in using sophisticated tools or exploits, they simply “live off the land” and log in with legitimate credentials. Recent research showed that 62% of all detections indexed by the fourth quarter of 2021 were malware-free.

Failures to patch or fix misconfigurations. Many organizations found exploitable vulnerabilities that are several years old and have relatively easy fixes in the form of vendor-provided patches, including from CISA’s Top 15 Routinely Exploited Vulnerabilities list and Known Exploited Vulnerabilities catalog. For example, NodeZero exploited the Remote Desktop Services RCE Vulnerability (CVE-2019-0708) “BlueKeep” 552 times this past year, and EternalBlue (CVE-2017-0144) 565 times. Critical VMware vulnerabilities were exploited 365 times, and misconfigurations and vulnerabilities were also common in popular DevOps tools and resources such as Jenkins (58 instances), GitLab (41 instances), Docker (50 instances) and Kubernetes (54 instances).

A lack of oversight of tools: “But my EDR should’ve stopped that….” was a common refrain among participants whose large investments in EDR solutions failed during pentests. Many companies could not detect an unauthorized host such as NodeZero in their environment and prevent it from dumping a SAM database full of credentials. Often, it was not the tool itself that failed, but rather a failure to properly configure the tool that resulted in the exposure of assets. For example, NodeZero was able to use Windows MITM attacks (NTLM Relay) 1,450 times and captured 138,662 credentials.

Seven percent of the assets tested contributed to or would be directly affected by a critical impact – an event that would cause program failure.

Here are the top 10 vulnerabilities and weaknesses that Horizon3.ai’s NodeZero was able to exploit because of these weaknesses:

1. 1. Weak or reused credentials
2. 2. Weak or default credential checks in protocols (SSH, FTP, Web, etc.)
3. 3. Credential dumping from Windows or Linux hosts
4. 4. Exploitation of critical Cybersecurity Agency and Critical Infrastructure Agency (CISA) vulnerabilities
5. 5. Exploitation of critical VMware vulnerabilities
6. 6. Misconfigurations and vulnerabilities in DevOps tools (Jenkins, GitLab, Kubernetes, Docker)
7. 7. Misconfigurations and vulnerabilities in Routers, iLOs, and iDRACs
8. 8.Windows Man-in-the-Middle attacks (NTLM relay)
9. 9. Windows Active Directory Elevation of Privilege Escalation Vectors (Kerberoasting)
10. 10. Zero-day or N-day vulnerabilities (Log4Shell, Fortinet, etc.)

Each vulnerability led to critical impacts, deeper implications, and ultimately to positive action by the customer to remediate them.

“These findings underscore why it’s so crucial to regularly pentest all internal and externally exposed assets and points of entry,” said Snehal Antani, CEO and co-founder of Horizon3.ai. “Many of the vulnerabilities and weaknesses that companies believe they’ve already addressed are, in fact, welcoming entry points for threat actors. Every organization should regularly ask themselves what their threat environment looks like, whether their security tools are appropriately configured and effective, and most importantly – whether their assets and environments are secure.”

Findings are based on examination of companies with highly sophisticated security strategies and systems, derived from seven thousand penetration tests (pentests) on more than a million company assets over the course of the year.

For a copy of “Year in Review 2022 – Through the Eyes of the Attacker” visit https://go.horizon3.ai/2022-Year-in-Review

Click here for more IT Briefcase content!