What is the "Year of Mass Exploits?'
Experts at GreyNoise Intelligence have added more than 230 tags since January 1, 2022. It includes detections for more than 160 CVEs. In its annual report titled GreyNoise Intelligence 2022 "Year of Mass Exploits," the experts have identified 2022's most "pernicious and pwnable" vulnerabilities, in other words, the most significant threats.
Bob Rudis, VP of Research & Data Science, GreyNoise Intelligence said “when it comes to cybersecurity, not all vulnerabilities are created equal, and many of the ones that garner media attention actually turn out to be insignificant.”
Log4j remote code execution
Activities around the Log4j remote code execution flaw surfaced at the end of 2021, kept the operations running, and has been active in regular web-based malicious activities, along with a group of other "celebrity vulnerabilities."
In the earlier phase of exploitation, every single noise sensor (more than six hundred sensors handle from more than 5000 internship IPs) fielded Log4j exploit traffic, taking around one million attempts in just the first week. Threat actors keep looking for newly exposed, vulnerable nodes, and also for nodes that may have by mistake had fixes or patches removed.
OGNL injection weakness
The Atlassian Confluence Object Graph Notation Library (OGNL) injection vulnerability was unique as it gave anyone unauthorized access to any query. Confluence is the knowledgeable repository of endless organizations. Because the API endpoint handles input in a certain way, cunning threat actors used different techniques to obscure exploit payloads.
At the peak of hacking attempts, the GreyNoise sensor network found around 1,000 unique IPs looking for exposed vulnerable codes. GreyNoise saw an average of almost 20 unique addresses in hopes of unpatched Confluence incidents.
For the Year of Mass Exploits 2022, experts have provided insights into the following areas:
- The impact of CISA's known exploited vulnerability catalog releases on security firms
- The celebrity vulnerability hype cycle, with a breakdown of the CVE-2022-1388, an F5 Big-IP iControl REST authentication bypass
- The amount of effort threat actors will put to never let a critical flaw go to waste by looking at the depth and width of CVE-2022-26134, a significant flaw in Atlassian Confluence.
Besides the in-depth information about the most dangerous threat detection events of 2022, the report gives predictions for 2023 from Bob Rudis, GreyNoise VP of Data Science.
Bob Rudis says “we see Log4j attack payloads every day. It’s part of the new ‘background noise’ of the internet, and the exploit code has been baked into numerous kits used by adversaries of every level. It’s very low risk for attackers to look for newly-exposed or re-exposed hosts, with the weakness unpatched or unmitigated. This means organizations must continue to be deliberate and diligent when placing services on the internet."
Rudis adds, “CISA’s database of software affected by the Log4j weakness stopped receiving regular updates earlier this year. The last update showed either ‘Unknown’ or ‘Affected’ status for ~35% (~1,550) of products cataloged. Attackers know that existing products have embedded Log4j weaknesses, and have already used the exploit in ransomware campaigns. If you have not yet dealt with your internal Log4j patching, early 2023 would be a good time to do so."
Rudis concludes, “organizations have to strive for perfection, while attackers need only persistence and luck to find that one device or service that is still exposing a weakness. We will see more organizations impacted by this, and it is vital you do what you can to ensure yours isn’t one of them."