Much of the data put up for sale by cybercriminals in open Internet or deep web forums is old: a total of 22% was leaked more than three years ago, according to a survey by security firm Trend Micro. The information, according to the company, indicates that organizations should focus efforts on fixing vulnerabilities that may pose risks, even if they have already been identified for a long time.
“Criminals know that organizations are struggling to prioritize and patch promptly, yet our research shows patch delays are often taken advantage of,” said Mayra Rosario, senior threat researcher at Trend Micro. “The lifetime of a vulnerability or exploit does not depend on when a patch is ready to stop it. In fact, older exploits are cheaper and therefore more popular among criminals who buy from underground forums. Virtual patching remains the best way to mitigate the risks of known and unknown threats for organizations.”
The report reveals several risks of legacy exploits and vulnerabilities, including:
Currently, the oldest exploit sold in the virtual underworld is CVE-2012-0158, a Microsoft RCE (remote code execution). Another old vulnerability, CVE-2016-5195, known as the Dirty Cow, is still ongoing after five years alerts Trend Micro.
“In 2020, WannaCry was still the most detected malware family, and there were more than 700,000 vulnerable devices worldwide as of March 2021,” says the company. “47% of cybercriminals have tried to target Microsoft products in the last two years.”
The survey also shows a decline in the Zero Day and N-Day vulnerabilities market over the past two years. This is being driven, in part, by the popularity of bug bounty programs like Trend Micro’s Zero Day Initiative and the emergence of Access as a Service, a new force in the cybercrime market. The service has the advantages of an invasion, but all the hard work has already been done for the buyer, with clandestine prices starting at US$1,000.
The combination of these trends is increasing the risk for companies. With nearly 50 new CVEs released per day by 2020, we see increasing pressure on security teams to prioritize and deploy patches. Today, organizations have an average of 51 days to fix a new vulnerability. Therefore, virtual patching is essential to fill this gap in the security system.