In 2021 PT SWARM team (Positive Technologies’ experts investigating security of all kinds of systems and devices) helped to fix over fifty critical vulnerabilities in the products of the largest world manufacturers, which are in demand worldwide, including in the industries that are critical for different states.
Some vulnerabilities identified and closed include CVE-2021-21972 in VMware vCenter Server, CVE-2021-20026 in SonicWall NSM, CVE-2021-1497 in Cisco HyperFlex HX, CVE-2021-1445 in Cisco ASA, and CVE-2021-34414 in Zoom.
Nearly 40% of all vulnerabilities identified and closed in 2021 with PT SWARM had an eminent threat level (greater than 7.0 on the CVSS scale).
Separate attention during the year was paid by the PT SWARM team to examining the security of the information protection tools themselves: 12.5% of all the vulnerabilities were found in the software, designed to provide protection from hacker attacks.
Ultimately, the work of the PT SWARM team reduced the potential for a successful attack for over 2.5 million companies around the world.
While vendors ponder whether to close vulnerabilities, attackers exploit them
The trend toward a hybrid mode of operation for large companies and the increased demand for remote connectivity systems have illustrated the role of exploitation of inclosed vulnerabilities in such systems by attackers. Here, two things come into play.
The first one has to do with the timeframe for data vulnerability closure: the experience of Positive Technologies shows vulnerabilities can be closed by vendors in a year (for example, of all vulnerabilities identified and sent to vendors in 2021 less than half – 47% – were fixed).
While exploitation of such a cyber vulnerability in business by an attacker allows to penetrate an organization’s perimeter in a matter of minutes.
The second point concerns how seldom vendors announce public commercial programs to search for vulnerabilities in their products – at large Bug Bounty sites, they counted such projects in single figures (if we are not talking about searching for vulnerabilities in web applications).
Private vendors often ignore private efforts to find vulnerabilities, while on the black market vulnerabilities are bought and sold.
Changing the relationship between private researchers and vendors could probably change the ratio of demand and purchase of vulnerabilities in the black market.
Predictions for 2022: A New Reality
Today, researchers are shaping new scenarios for notifying vendors and their customers of problems.
Particularly when vulnerabilities are not reported to MITRE2, researchers report the vulnerabilities they find to international CERTs so that the information about the problem reaches the end user – the companies at risk.
Some put their expertise directly into defenses. PT SWARM, in particular, cooperates with the development teams of Positive Technologies and supplements the expertise of the company’s products with data about one or another cyber vulnerability.
The average time to deliver such expertise to customers using the company’s products in 2021 was several hours (sometimes up to an hour) from the moment the vulnerability information became public.
The trend toward such self-organized, ethical sharing of vulnerability data is likely to gain momentum over the next year or two.
In 2022, attackers will continue to hunt for zero-day vulnerabilities, adopting new exploits and information about discovered security flaws.
This creates a kind of “race”: who will discover cyber vulnerability assessment first – the researcher or the criminal, what will be published first – the exploit or the patch, what will companies choose – install the patch as quickly as possible or get hacked and pay the ransom.
Therefore, to win this race, software developers need to test their products for security, including through BugBounty programs.
After all, as long as more people pay for vulnerabilities in the darkweb and more willingly than the developers themselves, it will be the darkweb that will receive information about new data vulnerabilities.
If you care about your business – schedule free consultation to learn about the full range of cybersecurity services that can protect your company.