GreyNoise Intelligence, the cybersecurity company analysing internet scanning traffic to separate threats from background noise, has unveiled its inaugural 2022 Mass Exploitation Report, a research report that dives deep into the most significant Threat Detection events of the past 12 months.
Bob Rudis, Vice President Research & Data Science, GreyNoise Intelligence, says, “When it comes to cybersecurity, not all vulnerabilities are created equal, and many of the ones that garner media attention actually turn out to be insignificant.
“GreyNoise is in a unique position to help organisations understand what technologies are under mass exploitation, and provides critical tools and data to help security analysts prioritise patching, identify and block malicious sources with confidence, and stay ahead of adversaries.”
GreyNoise added more than 230 new detection tags in 2022, representing an increase of approximately 38% from 2021. For its 2022 Mass Exploitation Report, GreyNoise researchers provide insights into:
- The celebrity vulnerability hype cycle, with a breakdown of the CVE-2022-1388, an F5 Big-IP iControl REST Authentication Bypass
- How hard attackers will work to never let a critical vulnerability go to waste by looking at the depth and breadth of CVE-2022-26134, a critical weakness in Atlassian Confluence
- The impact of the CISA Known Exploited Vulnerabilities catalogue releases on defenders
In addition to insights about the most significant threat detection events of 2022, the 2022 Mass Exploitation Report offers predictions for 2023 from GreyNoise VP Data Science Bob Rudis. He says, expect daily, persistent internet-facing exploit attempts.
Rudis comments, “We see Log4j attack payloads every day. It’s part of the new ‘background noise’ of the internet, and the exploit code has been baked into numerous kits used by adversaries of every level.
"It’s very low risk for attackers to look for newly-exposed or re-exposed hosts, with the weakness unpatched or unmitigated. This means organisations must continue to be deliberate and diligent when placing services on the internet.”
Another key finding from Rudis is that enterprises should expect more post-initial access internal attacks.
He says, “CISA’s database of software affected by the Log4j weakness stopped receiving regular updates earlier this year. The last update showed either ‘Unknown’ or ‘Affected’ status for ~35% (~1,550) of products catalogued. Attackers know that existing products have embedded Log4j weaknesses, and have already used the exploit in ransomware campaigns. If you have not yet dealt with your internal Log4j patching, early 2023 would be a good time to do so.”
Finally, Rudis says, expect at least a handful of headline-grabbing Log4j-centric attacks.
He says, “Organisations have to strive for perfection, while attackers need only persistence and luck to find that one device or service that is still exposing a weakness. We will see more organisations impacted by this, and it is vital you do what you can to ensure yours isn’t one of them.”