By Javvad Malik and Christopher Doman
Every year, AlienVault records billions of anonymised security events from our customers. This telemetry can be aggregated to establish macro trends. And for many years, we have also been comprehensively recording other vendors' threat reports in our Open Threat Exchange (OTX) platform.
We have combined these two data-sets to help provide a blueprint for how to prioritise the response to varied threats. You can find the scripts we used to get this data from our free APIs on GitHub.
Some of the standout findings from our data covering 2017 are:
- The most effective exploits quickly proliferate between a number of criminal and nation state groups. Some remain popular for a number of years after their initial discovery.
- njRat malware variants were the most prevalent malware we saw persisting on networks.
- Of the ten most popular domains associated with malware, four were sinkholed by MalwareTech.
- Confirmation of others’ findings of the changing targeted threat landscape. There has been a significant increase in reports on attackers reportedly located in Russia and North Korea. There has also been a significant drop in reports of activity emanating from groups operating from China.
OTX Trends: Exploits
This is the first of a three part series on the trends we identified in 2017:
- Part 1 focuses on exploits
- Part 2 will talk about the malware of concern and trends
- Part 3 will discuss threat actors and patterns
Which exploits should I be most concerned about?
There are many thousands of exploits that are assigned a CVE number every year, and many more that don’t go reported. If you’re responsible for an organisation’s security, it’s important to know:
Which ones are the most important to patch quickly?
Which ones are being actively exploited in the wild?
What exploits are being reported in vendor reports?
The following table shows exploits in order of the number of times they have been referenced in vendor reports on OTX:
A CVE 2017-0199 sample used by criminals
This table is from a fairly small data-set of approximately 80 vendor reports from this 2017 – but it still provides a number of insights:
Effective exploits proliferate quickly
It has also been heavily abused by criminal gangs such as some of those deploying Dridex.
The most popular vulnerabilities remain exploited for a long period of time
CVE-2012-0158 comes in as the third most referenced vulnerability. Sophos described the exploit as “arguably one of the most exploited vulnerabilities of the last decade” – and it continues to be extremely popular despite being 5 years old. This isn't a new phenomenon. Kaspersky reported that the Stuxnet vulnerability CVE-2010-2568 from 2010 was the exploit most seen by their users in 2015.
The most popular exploits are for Microsoft Windows and Office
Microsoft have exceptionally mature processes to prevent exploits. However, due to their software’s ubiquity, once an exploit does slip through and is discovered, it is used heavily.
The highest ranked exploit for an operating system other than Microsoft Windows is CVE-2013-6282. This has been used by Android malware to escalate privileges once installed on a victim’s phone.
What exploits are our customers seeing?
Using data from customer telemetry, the following table lists the exploits our customers have alerted on, in order of the number of times they have seen each exploit:
This data-set is very large, and consists of many billions of security events. However the data is heavily biased towards “noisy” network based exploit attempts from worms and exploit scanners. This explains why we’re still recording ancient vulnerabilities from 2001 in this table. Overall, we’d recommend the data in the prior table sourced from vendor reports if you’re interested on finding which exploits to prioritize a defense against.
Further work prioritizing exploits based on real world attacks is available from our friends at NopSec and Kenna Security.
Stay tuned for part 2 of this OTX blog series, where we’ll talk about malware trends!