Hackers Begin Searching for Vulnerabilities Just 15 Minutes After Disclosure
Experts from Palo Alto Networks have warned that hackers start looking for vulnerable endpoints as soon as 15 minutes after information about a CVE is made public. Hackers are constantly monitoring announcements from software vendors and manufacturers for news about new vulnerabilities that could be used for initial access to corporate networks or for remote code execution.
Unfortunately, the speed at which attackers begin scanning the internet for newly disclosed issues puts system administrators in a difficult position, as it is nearly impossible to apply patches within the 15 minutes following a bug’s disclosure.
Researchers explain that scanning does not require much effort, and even low-skilled attackers are capable of scanning the internet for vulnerable endpoints and selling the results on the dark web. More experienced hackers then decide how to exploit these findings.
The report also notes that within just a few hours of the first announcement about a bug, the first attempts to exploit the vulnerability in unpatched systems can already be observed.
Case Study: CVE-2022-1388
As an example, experts cite CVE-2022-1388, a critical remote command execution vulnerability affecting F5 BIG-IP products. This vulnerability was disclosed on May 4, 2022, and just 10 hours after the CVE was published, analysts recorded 2,552 scanning and exploitation attempts targeting this issue.
Most Exploited Vulnerabilities
According to Palo Alto Networks, the majority of exploitation attempts still target older bugs rather than the newest ones. In the first half of 2022, the most exploited vulnerabilities were the ProxyShell exploit chain, accounting for 55% of all recorded exploitation attempts. ProxyShell includes three vulnerabilities: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.
In second place was the Log4Shell vulnerability, responsible for 14% of exploitation attempts. The list continues with various CVEs in SonicWall products (7%), ProxyLogon (5%), and RCE in Zoho ManageEngine ADSelfService Plus, which was used in 3% of cases.