Old Vulnerabilities Remain a Major Threat for Russia and the CIS

Kaspersky Lab has published a report on the cybersecurity landscape for the first quarter of 2024 and the year 2023 in Russia and the CIS countries. This year, the company decided to revise its approach and present a series of targeted cyberthreat reports focused on specific regions. The first in this series analyzes the threat landscape for Russia and the CIS.

Most Targeted Countries and Sectors

According to researchers, the most frequently attacked countries in the region were Tajikistan, Belarus, and Turkmenistan. Hackers most often targeted the financial, construction, and manufacturing sectors. However, other industries also faced attacks from cybercriminals at varying frequencies.

Key Findings: Hacktivism and Old Vulnerabilities

One of the main findings of the report is the growing threat of hacktivism, which has continued to gain momentum over the past six months. Attackers are focusing on organizations with weak security, regardless of industry, using any available tools. Notably, cybercriminals tend to stick to tried-and-true methods, targeting organizations with poor cybersecurity by exploiting well-known and widespread vulnerabilities in commonly used products.

More than half of the most exploited CVEs by hackers were registered at the end of the last decade. The most common vulnerability in 2023 and the first quarter of 2024 was the critical CVE-2021-44228 (Log4Shell) in the Apache Log4j library, which allows remote code execution. The second most exploited was CVE-2019-0708 (BlueKeep) in Microsoft Windows and Microsoft Windows Server. In addition to remote code execution, this vulnerability enables information disclosure, privilege escalation, and user interface spoofing. Rounding out the top three is CVE-2020-7247 in the OpenSMTPD mail server, which also allows remote code execution and privilege escalation.

For attacks on corporate devices in Russia and the CIS, cybercriminals most often exploit vulnerabilities in the 7-Zip archiver (CVE-2023-31102, CVE-2023-40481, and CVE-2022-29072), WinRAR (CVE-2023-38831), and the Google Chrome browser (CVE-2023-1822, CVE-2023-1812, CVE-2023-1813, and others). Most of the top exploited issues (9 out of 10) allow for malicious code execution, and almost all were discovered in 2023.

Patch Management and Vulnerability Assessment Gaps

Experts note that if attackers exploit vulnerabilities from the late 2010s during perimeter scans-counting on the fact that many companies still haven’t patched them-then the vulnerabilities exploited directly on endpoint devices are more recent (mainly from 2023). This suggests that many organizations have very different processes for vulnerability assessment and patch management for network versus endpoint devices. The report recommends paying more attention to devices on the organization’s perimeter and accessible from outside, implementing or improving vulnerability assessment and patch management processes, and mitigating risks by addressing vulnerabilities-even if updating software to the latest version isn’t possible. Infrastructure hardening should also not be overlooked.

Ransomware Remains a Top Global Threat

Experts state that ransomware remains one of the main threats for organizations worldwide in 2024. The number of such attacks remains consistently high, the total ransom amount is growing, and affected companies face increasing difficulty decrypting data, as attackers often use proven combinations of strong encryption algorithms (AES + RSA or ChaCha/Salsa + X25519).

The top three most common ransomware programs in the first quarter of 2024 were Dcryptor, LockBit, and Conti. In the same period last year, the top three were Phobos, LockBit, and Conti.