blog.qualys.com
Open in
urlscan Pro
35.230.125.173
Public Scan
URL:
https://blog.qualys.com/vulnerabilities-threat-research/2023/12/19/2023-threat-landscape-year-in-review-part-one
Submission: On December 20 via api from TR — Scanned from DE
Submission: On December 20 via api from TR — Scanned from DE
Form analysis 2 forms found in the DOM
POST https://blog.qualys.com/wp-comments-post.php?wpe-comment-post=qualysblog
<form action="https://blog.qualys.com/wp-comments-post.php?wpe-comment-post=qualysblog" method="post" id="commentform" class="comment-form">
<p class="comment-notes"><span id="email-notes">Your email address will not be published.</span> <span class="required-field-message">Required fields are marked <span class="required">*</span></span></p>
<p class="comment-form-comment"><label for="comment">Comment</label><textarea id="comment" name="comment" cols="45" rows="6" minlength="10" placeholder="Share your thoughts" aria-required="true" required=""></textarea></p>
<div class="field-wrapper">
<p class="comment-form-author"><label for="author">Name</label><input id="author" name="author" type="text" placeholder="Name" value="" size="20" minlength="4" required=""></p>
<p class="comment-form-email"><label for="email">Email</label><input id="email" name="email" type="email" placeholder="Email" value="" size="30" required=""></p>
</div>
<p class="comment-form-cookies-consent"><input id="wp-comment-cookies-consent" name="wp-comment-cookies-consent" type="checkbox" value="yes"> <label for="wp-comment-cookies-consent">Save my name, email, and website in this browser for the next time
I comment.</label></p>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="submit" value="POST"> <input type="hidden" name="comment_post_ID" value="34586" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="a81cadb751"></p>
<p style="display: none !important;"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js" value="1703038795967">
<script>
document.getElementById("ak_js_1").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form><form id="jp-carousel-comment-form">
<label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
<textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..."></textarea>
<div id="jp-carousel-comment-form-submit-and-info-wrapper">
<div id="jp-carousel-comment-form-commenting-as">
<fieldset>
<label for="jp-carousel-comment-form-email-field">Email (Required)</label>
<input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-author-field">Name (Required)</label>
<input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-url-field">Website</label>
<input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
</fieldset>
</div>
<input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment">
</div>
</form>Text Content
* Discussions
* Back to main menu
* BROWSE BY TOPICBROWSE BY TOPIC
* Global IT Asset Management
* IT Security
* Compliance
* Cloud & Container Security
* Web App Security
* Certificate Security & SSL Labs
* Developer API
* Cloud Platform
* Start a discussion
* Blog
* Training
* Docs
* Support
*
Community
SearchLoading
Blog Home
2023 THREAT LANDSCAPE YEAR IN REVIEW: IF EVERYTHING IS CRITICAL, NOTHING IS
Saeed Abbasi, Product Manager - Threat Research Unit, Qualys
December 19, 2023December 19, 2023 - 11 min read
9
TABLE OF CONTENTS
* 2023 Statistics
* 2023 Vulnerability Threat Landscape
* Top Vulnerability Types
* Key Insights
* Top MITRE ATT&CK Tactics & Techniques
* Most Active Threats
* Conclusion
As 2023 nears its end, it’s time to pause and reflect. It’s time to assess what
worked and what didn’t, what caught our attention and caused disruption, and
what went unnoticed. More importantly, we need to know what lessons we learned
from 2023 so that we can do a better job of managing risk in the coming year. In
line with this, the Qualys Threat Research Unit has prepared a comprehensive
blog series to review the threat landscape in 2023.
Key Takeaways:
* Less than one percent of vulnerabilities contributed to the highest risk and
were routinely exploited in the wild.
* 97 high-risk vulnerabilities, likely to be exploited, were not part of the
CISA Known Exploited Vulnerabilities (KEV) catalog.
* 25 percent of these security vulnerabilities were immediately targeted for
exploitation, with the exploit being published on the same day as the
vulnerability itself was publicly disclosed.
* 1/3 of high-risk vulnerabilities impacted network devices and web
applications.
* Exploitation of remote services, exploitation of public-facing applications,
and exploitation for privilege escalation are the top three MITRE ATT&CK
tactics.
2023 STATISTICS
As of this writing, 26,447 vulnerabilities were disclosed in 2023, eclipsing the
total number of vulnerabilities disclosed in 2022 by over 1,500 CVEs. This
continues the years-long trajectory of more vulnerabilities being found than the
year before.
However, not all vulnerabilities present a high risk; in fact, a small subset
(less than 1%) contributes the highest risk. These particularly critical
vulnerabilities are ones that have a weaponized exploit, are actively exploited
by ransomware, threat actors, and malware, or have confirmed evidence of
exploitation in the wild. It is these vulnerabilities that we will examine in
detail.
2023 VULNERABILITY THREAT LANDSCAPE
Let’s take a deeper look into the breakdown of 2023’s vulnerabilities.
The Qualys Threat Research Unit (TRU) analyzed the high-risk vulnerabilities to
get more insights and discuss common trends. The TRU inspected which were most
exploited, what attack methods and tactics were used, and what strategies we can
use to fortify defenses against them. Some highlights of their findings:
* Over 7,000 vulnerabilities had proof-of-concept exploit code. These
vulnerabilities could result in successful exploitation; however, the exploit
code is typically of lower quality, which may reduce the likelihood of a
successful attack.
* 206 vulnerabilities had weaponized exploit code available. Exploits for these
vulnerabilities are highly likely to compromise the target system if used.
* There were 115 vulnerabilities routinely exploited by threat actors, malware,
and ransomware groups such as CL0P.
* Of the vulnerabilities observed, 109 had known evidence of exploitation and
were listed in the CISA KEV.
* 97 vulnerabilities were exploited in the wild but were not included in the
CISA KEV list. Note: Organizations that prioritize based on the CISA KEV
should pay special attention to these CVEs.
* Ransomware groups such as LockBit and Cerber exploited 20 vulnerabilities.
* Additionally, 15 vulnerabilities were exploited by malware and botnet groups.
TOP VULNERABILITY TYPES
More than a third of the high-risk vulnerabilities identified could be exploited
remotely. The five most prevalent types of vulnerabilities comprised over 70
percent of the total discovered. This underscores the critical need for a
comprehensive vulnerability management strategy that includes remote scanning
capabilities, not solely relying on agent-based methods.
Fig 3. Prevalence of Key Vulnerability Types in Various Product Types
KEY INSIGHTS
MEAN TIME TO EXPLOIT HIGH-RISK VULNERABILITIES IN 2023
In 2023, we witnessed a critical trend in exploiting high-risk vulnerabilities.
Our analysis reveals a startling insight into how quickly attackers capitalize
on these vulnerabilities.
The mean time to exploit vulnerabilities in 2023 stands at 44 days (about
one-and-a-half months).
However, this average masks the urgency of the situation. In numerous instances,
vulnerabilities had exploit available on the very day they were published. This
immediate action represents a shift in the modus operandi of attackers,
highlighting their growing efficiency and the ever-decreasing window for
response by defenders.
Let’s take a closer look at the data between zero to 25 days.
Twenty-five Percent of High-Risk CVEs Exploited on the Day of Publication: A
staggering 25 percent of these security vulnerabilities were immediately
targeted for exploitation, with the exploit published on the same day the
vulnerability itself was publicly disclosed. This statistic serves as a wake-up
call for organizations to adopt a proactive stance toward patch management and
threat intelligence.
Three-Week Window: The data further shows that 75 percent of vulnerabilities
were exploited within 19 days (approximately three weeks) of publication. This
timeline offers a crucial window for organizations to prioritize and address the
most critical vulnerabilities.
ONE-THIRD OF HIGH-RISK VULNERABILITIES FOUND IN NETWORK INFRASTRUCTURE & WEB
APPLICATIONS
A substantial 32.5% of the 206 identified vulnerabilities reside within the
networking infrastructure or web application domains—sectors traditionally
difficult to safeguard through conventional means.
Fig 6. The Exploited Vulnerabilities by Product Type in 2023
This highlights the necessity of a comprehensive vulnerability management
strategy. By deploying a variety of vulnerability management methods, including
agent-based, agent-less, and network-based techniques, organizations can ensure
extensive and proactive protection across all IT assets. Such a multi-pronged
strategy is essential for effectively detecting and remediating threats, thereby
bolstering security and compliance in areas particularly susceptible to
sophisticated cyber risks. Qualys broadens the scope of protection by
encompassing agent support as well as network, external, and passive scanning
capabilities, granting organizations a detailed and diverse view of their
security posture.
MORE THAN 50 PERCENT OF HIGH-RISK VULNERABILITIES EXPLOITED BY THREAT ACTORS &
RANSOMWARE GROUPS
Of the 206 high-risk vulnerabilities we tracked, more than 50 percent were
leveraged by threat actors, ransomware, or malware to compromise systems.
* 115 exploited by named threat actors.
* 20 exploited by ransomware.
* 15 exploited by malware and botnets.
The vulnerabilities identified span an extensive set of systems and
applications, including, but not limited to, PaperCut NG, MOVEit Transfer,
various Windows operating systems, Google Chrome, Atlassian Confluence, and
Apache ActiveMQ. This breadth showcases that no application is beyond the reach
of attackers, who are determined to exploit any vulnerability to compromise
systems.
Notably, many of these vulnerabilities, such as those found in MOVEit Transfer,
Windows SmartScreen, and Google Chrome, are exploitable remotely, obviating the
need for physical access to the targeted system.
Certain vulnerabilities permit attackers to circumvent authentication
mechanisms, as observed with the vulnerabilities in PaperCut NG, or to escalate
their privileges, such as with the Windows Common Log File System Driver
vulnerabilities. These types of vulnerabilities are particularly alarming due to
their potential to grant attackers higher levels of access, thereby simplifying
system compromise and data exfiltration efforts.
Moreover, vulnerabilities found in platforms like Fortra GoAnywhere MFT and
Apache ActiveMQ are capable of facilitating remote code execution or command
injection. These allow attackers to run arbitrary commands, which could lead to
full system control.
Cybersecurity threats, often targeting specific software versions as seen in
MOVEit Transfer, require a dynamic and comprehensive strategy. This includes
regular updates, patches, vulnerability assessments, and robust authentication.
Proactive and preventive measures are crucial for effective defense against
these evolving and complex threats rather than merely reactive responses.
TOP MITRE ATT&CK TACTICS & TECHNIQUES
In 2023, all 206 vulnerabilities in our dataset were weaponized, offering a
stark view into the tactics employed by cyber adversaries. Here, we look at the
top MITRE ATT&CK techniques and methods used in these exploits, shedding light
on the most prevalent avenues of cyberattacks:
Fig 7. Top MITRE ATT&CK Tactics & Techniques Occurrence
1. Exploitation of Remote Services (T1210 & T0866): This is the most frequently
observed method, with 72 occurrences in enterprise environments and 24 in
industrial control systems (ICS). This technique, utilized for initial
access and lateral movement, highlights the importance of securing remote
service protocols against unauthorized access and exploitation.
2. Exploitation of Public-Facing Applications (T1190 & T0819): Occurring 53
times in enterprise domains and 19 times in ICS, this technique targets
applications accessible from the internet. It’s a favored initial access
route for attackers, showcasing the critical need for robust external-facing
application security.
3. Exploitation for Privilege Escalation (T1068): Noted 20 times, this
technique involves attackers exploiting vulnerabilities to gain higher
privileges within a system. Its occurrence underlines the need for effective
privilege management and monitoring within enterprise networks.
In addition to the dominant methods, 2023 also saw other tactics contributing to
the diverse threat matrix, like:
* Exploitation for Client Execution (T1203)
* Privilege Escalation in Mobile (T1404)
* Application/System Exploitation (T1499.004)
* External Remote Services (T1133)
* Drive-by Compromise (T1189)
* Privilege Escalation in ICS (T0890)
* Malicious Link (T1204.001)
* Remote Services Exploitation in Mobile (T1428)
Each of these techniques represents a distinct challenge in cybersecurity,
offering insights into the evolving tactics of cyber adversaries. From
exploiting public-facing applications to leveraging remote services and
executing privilege escalation, these methods paint a picture of a sophisticated
and multifaceted threat landscape. Understanding these prevalent attack
techniques is crucial for developing more effective defense strategies and
reinforcing cybersecurity measures against these prevalent threats.
MOST ACTIVE THREATS
MOST EXPLOITED VULNERABILITIES
This year, certain vulnerabilities stood out as the most frequently exploited.
These include:
CVE-2023-0669, CVE-2023-20887, CVE-2023-22952, CVE-2023-23397, CVE-2023-24880,
CVE-2023-27350, CVE-2023-28252, CVE-2023-2868, CVE-2023-29059, CVE-2023-34362
The volume of exploits of these vulnerabilities indicates trending attack
vectors and emphasizes the need for targeted defensive strategies.
CVETitleQualys Vulnerability Score (QVS)CVE-2023-0669Fortra GoAnywhere Managed
File Transfer (MFT) RCE Vulnerability95CVE-2023-20887VMware Aria Operations for
Networks Command Injection Vulnerability95CVE-2023-22952SugarCRM Remote Code
Execution (RCE) Vulnerability95CVE-2023-23397Microsoft Outlook Elevation of
Privilege Vulnerability95CVE-2023-24880Windows SmartScreen Security Feature
Bypass Vulnerability95CVE-2023-27350PaperCut NG/MF Multiple Security
Vulnerabilities100CVE-2023-28252Windows Common Log File System Driver Elevation
of Privilege Vulnerability95CVE-2023-2868Barracuda Email Security Gateway
Vulnerability95CVE-2023-290593CX Desktop Client Supply Chain
Vulnerability95CVE-2023-34362MOVEit Transfer Injection Vulnerability100
See our blog post for a detailed list of the most exploited vulnerabilities.
MOST ACTIVE THREAT ACTORS OF 2023
In 2023, the cyber landscape was shaken by TA505, also known as the CL0P
Ransomware Gang. This group masterminded a high-profile cyberattack by
exploiting zero-day vulnerabilities, and they notably exploited zero-day
vulnerabilities in key platforms like GoAnywhere MFT, PaperCut, MOVEit, and
SysAid. Their sophisticated use of diverse malware types for information
gathering and attack facilitation marked them as a significant threat. The
severity of their actions prompted advisories from the Cybersecurity and
Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation
(FBI), highlighting the need for improved cybersecurity measures.
MOST ACTIVE MALWARE OF 2023
In 2023, LockBit and Clop have been prominent in the ransomware arena. LockBit,
using its advanced ransomware-as-a-service model, has targeted a range of
organizations, including in the IT and finance sectors. Notably, LockBit
exploited vulnerabilities such as CVE-2023-27350 in PaperCut NG and
CVE-2023-0699 in Google Chrome, allowing remote attackers to bypass
authentication and exploit heap corruption.
Clop, known for exploiting vulnerabilities, has conducted extensive attacks on
large enterprises, notably in the finance, IT, and healthcare sectors. Clop’s
activities included exploiting CVE-2023-27350, CVE-2023-34362, CVE-2023-0669,
and CVE-2023-35036. These vulnerabilities ranged from SQL injection in MOVEit
Transfer, allowing database access, to a pre-authentication command injection in
GoAnywhere MFT and bypassing authentication in PaperCut NG.
The cybersecurity landscape is evolving, with the proliferation of hacking tools
and knowledge allowing less skilled hackers to exploit vulnerabilities once only
accessible to highly sophisticated attackers. This broadens the attacker
spectrum to include advanced hackers, less experienced malicious cyber actors,
and digital activists, marking a significant shift in cyber threat dynamics.
These instances highlight the speed with which vulnerabilities can escalate from
publication to weaponized exploit to exploitation and illustrate the immediacy
with which cyber threats evolve upon the disclosure of vulnerabilities. This
rapid evolution from publication to exploitation and weaponization emphasizes
the critical need for organizations to monitor disclosures closely and implement
rapid response mechanisms to mitigate potential attacks.
Qualys VMDR with TruRisk streamlines the prioritization of exploited
vulnerabilities by providing a clear TruRisk Score (QVS) for each vulnerability.
This scoring system, easily understood by technical and non-technical teams,
helps identify high-risk issues. Vulnerabilities with a QVS over 90, which
TruRisk consistently evaluates, should be prioritized and addressed promptly for
effective risk management.
CONCLUSION
As we conclude our analysis of the threat landscape in 2023, it’s evident that
the rapid pace of vulnerability weaponization and the diversity of threat actors
pose significant challenges for organizations globally. Here are a few key
recommendations to reduce risk:
* To accurately assess the genuine risk presented by open vulnerabilities
within their organization, it’s essential that businesses employ a
comprehensive set of sensors, ranging from agent to network scanners to
external scanners.
* Thoroughly inventory all public-facing applications and remote services to
ensure they are not vulnerable to high-risk vulnerabilities.
* Employ a multifaceted approach to the prioritization of vulnerabilities.
Focus on those known to be exploited in the wild (start with the CISA KEV),
those with a high likelihood of exploitation (indicated by a high EPSS
score), and those with weaponized exploit code available.
These recommendations will help reinforce the critical need for a robust,
proactive approach to vulnerability and risk management, especially in an
increasingly sophisticated and pervasive era of cyber threats.
RELATED
Launching Qualys Cloud Threat DatabaseFebruary 8, 2023In "Product and Tech"
Qualys Survey of Top 10 Exploited Vulnerabilities in 2023September 26, 2023In
"Qualys Insights"
Part 1: An In-Depth Look at the Latest Vulnerability Threat LandscapeJuly 11,
2023In "Product and Tech"
Written by
Saeed Abbasi, Product Manager - Threat Research Unit, Qualys
Write to Saeed at sabbasi@qualys.com
Like
9
Share
*
*
*
*
RELATED CONTENT
2023 statistics, 2023 threat landscape review, vulnerability threat landscape
2023
Share your Comments
COMMENTS CANCEL REPLY
Your email address will not be published. Required fields are marked *
Comment
Name
Email
Save my name, email, and website in this browser for the next time I comment.
Δ
JOIN THE DISCUSSION TODAY!
Learn more about Qualys and industry best practices.
Share what you know and build a reputation.
Secure your systems and improve security for everyone.
Start a discussion
* Twitter
* LinkedIn
* Facebook
* YouTube
* Vimeo
QUALYS
* Qualys.com
* Qualys Community Edition
* Qualys Merchandise Store
QUALYS COMMUNITIES
* Vulnerability Management
* Policy Compliance
* PCI Compliance
* Web App Scanning
* Web App Firewall
* Continuous Monitoring
* Security Assessment Questionnaire
* Threat Protection
* Asset Inventory
* AssetView
* CMDB Sync
* Endpoint Detection & Response
* Security Configuration Assessment
* File Integrity Monitoring
* Cloud Inventory
* Certificate Inventory
* Container Security
* Cloud Security Assessment
* Certificate Assessment
* Out-of-band Configuration Assessment
* Patch Management
* Developer API
* Cloud Agent
* Dashboards & Reporting
DISCUSSIONS
* All discussions
* Global IT Asset Management
* IT Security
* Compliance
* Cloud & Container Security
* Web App Security
* Certificate Security & SSL Labs
* Developer API
BLOG
* All posts
* Qualys Insights
* Product and Tech
* Vulnerabilities and Threat Research
* Release Notifications
TRAINING
* Overview
* Certified Courses
* Video Library
* Instructor-led Training
DOCS
* Overview
* Release Notes
SUPPORT
* Support Portal
© 2023 Qualys, Inc. All rights reserved. Privacy Policy
Loading Comments...
Write a Comment...
Email (Required) Name (Required) Website
Notice. We use cookies to optimize our website. By continuing to use our site,
you accept our privacy policy.
Yes, I accept Cookies No thanks