Highlights:

  • The report also identified 97 high-risk vulnerabilities prone to exploitation, which were not listed in the Cybersecurity and Infrastructure Security Agency’s Know Exploited Vulnerabilities catalog.
  • Over a third of the high-risk vulnerabilities identified could be remotely exploited.

A recent report from cybersecurity software provider Qualys Inc. reveals that in 2023, less than 1% of vulnerabilities were responsible for the most significant risks and were consistently exploited in real-world scenarios.

Key insights from the vulnerability threat landscape, the leading vulnerability types, and other pertinent data, such as the mean time to exploitation, MITRE ATT and CK tactics and techniques, and the most active ransomware and threat actors in 2023, are detailed in the 2023 Threat Landscape Year in Review report.

Additionally, the report revealed that the Know Exploited Vulnerabilities catalog of the Cybersecurity and Infrastructure Security Agency failed to include 97 high-risk vulnerabilities that were found to be highly exploitable. A quarter of highly critical vulnerabilities were exploited immediately following their publication, with network devices and web applications being affected by one-third of these vulnerabilities.

In 2023, a record-breaking 26,447 vulnerabilities were uncovered, surpassing the 2023 count by over 1,500 and marking the highest number ever reported. Among the revealed vulnerabilities, over 7,000 had proof-of-concept exploit code, potentially leading to successful exploitation. However, the quality of the exploit code was generally lower, which could decrease the probability of a successful attack.

Around 206 vulnerabilities had weaponized exploit code accessible, signifying a high likelihood of compromising the target system if utilized. Out of these, 115 vulnerabilities were consistently exploited by threat actors, malware, and ransomware groups like Clop.

The top five types of vulnerabilities accounted for more than 70% of all vulnerabilities found, and over one-third of high-risk vulnerabilities could be exploited remotely.

In 2023, the average time to exploit a high-risk vulnerability was 44 days. The report does point out that in many cases, exploitation happened almost immediately, with some vulnerabilities being used the day they were released.

Exploiting vulnerabilities as soon as they are disclosed signals a shift in attackers’ modus operandi, underscoring their increasing efficiency and the diminishing response time available to defenders. A quarter of high-risk Common Vulnerabilities and Exposures were exploited on the same day they were published.

Prominent vulnerabilities exploited during the year encompassed those aimed at PaperCut NG, MOVEit Transfer, different Windows operating systems, Google Chrome, Atlassian Confluence, and Apache ActiveMQ. A notable portion of these vulnerabilities allowed remote exploitation, eliminating the requirement for physical access to the targeted systems.

The primary MITRE ATT and CK techniques and tactics employed in 2023 comprised the exploitation of remote services identified as 1210 and T0866. This occurred 72 times in enterprises and 24 times in industrial control systems, underscoring the criticality of securing remote service protocols. Following closely was the exploitation of public-facing applications, referred to as T1190 and T0819, observed 53 times in enterprises and 19 times in ICS. Privilege escalation exploitation designated T1068, ranked third with 20 recorded instances.

In 2023, Clop, also known as TA505 or CL0P, emerged as the most prolific threat actor. This group orchestrated prominent cyberattacks, leveraging zero-day vulnerabilities on platforms such as GoAnywhere MFT, PaperCut, MOVEit, and SysAid. Notably, Clop and LockBit stood out as the primary hacking groups in the realm of ransomware.

The report provides several security suggestions, highlighting that “it’s evident that the rapid pace of vulnerability weaponization and the diversity of threat actors pose significant challenges for organizations globally.” Recommendations encompass businesses embracing a multi-layered strategy, deploying various sensors to catalog vulnerabilities in public-facing applications and remote services. Additionally, prioritizing remediation efforts is advised, taking into account factors such as inclusion in the CISA KEV list, high exploitation probability scores, and the existence of weaponized exploit code.