Analysing security vulnerability trends throughout the pandemic

Throughout the pandemic, the increasing number of security vulnerabilities affecting major products and services reached alarming levels, according to our analysis of NIST’s (National Institute of Standards and Technology) National Vulnerability Database data.

This trend is indicative of threats to IT assets used by businesses across the globe, with a direct relationship to pandemic-inspired changes in IT and security. The rise of digital and advanced transformations led businesses to purchase new assets to allow remote workers to operate more smoothly. This, in turn, led to oversights on the cybersecurity front in multiple ways. They included:

• A lack of involving security teams in decision-making for new product purchases 
• A lack of security validations before a product was rolled out in production environments
• The introduction of changes that led to gaps in the ‘new’ perimeter or change of attack surface of an organisation over the internet.

As a result, at a time when most of the world was shut down and, therefore, a large majority of workers were operating from home, cyber actors aimed to exploit the vulnerabilities in the IT and security products.

Services and solutions impacted by critical and high-risk vulnerabilities identified during this timeline include VPN gateways, email, file transfer, virtualisation and other tech products from the major IT companies. Some of these products derive from some of the most established brands, such as Microsoft, Fortinet, VMWare, Atlassian, etc.  

Therefore, it’s not about common vulnerabilities being found every year but rather about the products that play a vital role in supporting corporate networks such as virtualisation, VPN or perimeter gateway devices. Critical or high-risk vulnerabilities in such products would allow threat actors straight access to internal corporate networks, leading to remote control of systems. These weaknesses highlight the critical impact and the higher likelihood of attacks due to threat actors’ opportunity, where success would provide keys to the kingdom.

To explore this further, we here at Cyphere have created a report analysing the security vulnerability trends throughout the pandemic. We did this to highlight the different types of threats exposed while also exhibiting the products granting unauthorised access due to exploiting these flaws. 

We compared this data to previous years to measure the pandemic’s effect on these figures.

It’s hoped that this report will examine the increase in cybersecurity threats and how cybercriminals can easily exploit these vulnerabilities. 

Key findings from Cyphere’s NIST CVE analysis

Methodology 

Our analysis is based on the data available from NIST (National Institute of Standards and Technology), a US Government agency that promotes innovation and industrial competitiveness. 

This analysis provides an overview of global security vulnerability trends during the COVID-19 pandemic, from March 2020 to July 2021. Therefore, providing data that shows the different types of exposures and products targeted during this period. We then compared this data to years preceding the pandemic to gauge the changes and trends. 

Bearing this in mind, each vulnerability has a CVSS score (ranking the risk of the security breach from low to critical) representing the severity of the risk created, while also exploring the risks associated.

Vulnerability figures by year 

Through analysis of data, we can visualise the rise of security concerns throughout the pandemic and compare these figures to the previous years in order to envision the total impact Covid-19 had on the vulnerability trends. Given the severity, impact and associated parameters, it can be assumed how affected products pose threat to global businesses. 

The total number of vulnerabilities by year was:

It also allows us to see if the number of cybersecurity threats increases or decreases over time.

Taking a closer look at the yearly figures, the total number of exposures has been on the rise since 2017. 

It’s alarming to see a steady rise in the number of security threats year on year, with 2022 seemingly on track to follow that trend. Until 2017, the number of security flaws had never reached over 10,000 in a single year. The total number of vulnerabilities in 2016 was 6,447 highlighting the accelerating rate of the annual increase.

With lockdowns taking place throughout 2020 and 2021, the increase in cyber attacks could be explained by the increased attack surface of businesses along with the number of people working from home and businesses operating outside their usual physical offices, raising the risk of potential cyber-attacks.

Vulnerabilities by severity

Through further analysis, we can identify the severity of vulnerabilities to assess the overall risk of these security threats.

Each exposure is scored using the CVSS (Common Vulnerability Scoring System) risk calculator. The CVSS is a score assigned to a vulnerability, used to define the overall risk of a susceptibility.

The worst risk posed by a vulnerability can be calculated by examining the low attack complexity, lack of privileges and user interaction required and finally the high confidentiality impact. Through examining each of these factors, a high CVSS score should be generated if the risk proves high or critical.

As the total number of vulnerabilities has increased year on year since 2017, it’s no surprise to see the cyber attacks and breaches rise in comparison to previous years.

The peak number of susceptibilities was hit in 2021 when there was a total of 20,157. Of these exposures, 3,183 were deemed low-risk, 12,903 were medium, and 4,071 were categorised as high risk.

This is a stark increase in comparison to previous years, in 2018 there were a total of 1,768 low severity flaws which was the last year to date to record fewer than 2,000 low-risk vulnerabilities. There were also a total of 10,462 medium risks and 4,279 deemed high risk.

It highlights an increase in all types of severities in comparison to years preceding the pandemic. Let’s now look at the data for 2020, when the first lockdowns were introduced. 

Following the trend set in 2018, the total number of security threats in 2020 grew from the previous year by a total of 1,806. 

Comparing the data to the previous year, there were 744 more low-risk vulnerabilities (2,770), and 244 more medium-risk flaws (11,202). However, there were only 56 more high-risk vulnerabilities compared to 2019’s data (4,379 in total).

2020 also saw the highest total of high-risk exposures since records began, while 2021 had the most significant number of total susceptibilities, the year also saw 308 fewer high-risk exposures when compared to 2020. There were 4,379 in 2020, compared to 4,071 last year. 

Vulnerabilities by category

Each vulnerability is allocated a CWE (Common Weakness Enumeration) category, which is a list of weakness types used to define the nature of a vulnerability.

The CWE can be used as a baseline for identifying a vulnerability. This can then be used to narrow down why a product is continuously being successfully breached.

It’s extremely useful to consider the types of CWE threats being bypassed to better understand how these attacks are taking place and, in turn, increase cybersecurity measures.

Since 2018, the most prominent single vulnerability type was CWE-79, defined as ‘Improper Neutralisation of Input During Web Page Generation’. It’s also known as ‘Cross Site Scripting’ and has been accountable for between 2,000 and 2,500 threats each year.

CWE-787, known as the ‘Out of Bounds Script’, was accountable for less than 500 exposures in 2017, compared to the 1,000 to 1,500 flaws it has been accountable for annually since 2018.

7.26% of vulnerabilities in 2018 were categorised as CWE-20 defined as ‘Improper Input Validation’. This security threat decreased in the following years, with this exposure making up 5.02% of susceptibilities in 2019 and 3.92% in 2020.

There were also a large number of undefined vulnerabilities. Over 3,000 in 2020 alone were defined as NVD-CWE-noinfo; therefore, we are unable to pinpoint the exact reason behind the threat. Logging of CVE’s falls under MITRE’s responsibility, not something within the NIST’s remit.

The number of undefined exposures was also on the rise between 2019 and 2020. This has risen from 13.49% in 2019 to 19.35% in 2020. This figure did however return to nearly the same level as 2019 in 2021, with 13.48% of vulnerabilities in this year being undefined.

It can raise problems when certain vulnerabilities cannot be categorised as it can skew data and reduce the chances of known problems being addressed and fixed to avoid similar exposures in the future.

Analysing data from throughout the pandemic

To gain a better understanding of the effect of Covid-19 on the state of cybersecurity, we are also able to analyse month-by-month data. It accurately displays when cyberattacks were most frequent during Covid-19 and the severity of these threats.

Throughout the pandemic, there were a large number of vulnerabilities, between March 2020 and July 2021 there were a total of 27,887 exposures. Of these vulnerabilities, 2.20% were low risk, 38.95% were medium, 39.96% were deemed high risk and 13.14% of these threats were categorised as critical risks.

The total number of risks by category throughout the lockdown period were:

The statistics show that the month with the highest number of security flaws came in April 2020. There were a total of 2,209 CVE entries across this month, the highest amount in a single month throughout Covid-19.

This month saw the highest number of low (60), medium (886) and high-risk flaws (939). The month was also the second highest for critical risks, second to the month previous when the pandemic began (302 compared to 328 in March 2020).

With lockdown measures coming into full force in late March, it’s clear to see the trend of increased cyber attacks coinciding with lockdown, as many transitioned to remote working, it left businesses and people more vulnerable to security bypasses.

The number of flaws across all risk levels increased between November and December 2020, when the second national lockdown measures were introduced. 35.4% of the 1,584 attacks across December were high-risk and 18.6% were critical.  

Below we can see the full data from 2020, beginning when the first lockdown was introduced in March.

The month with the lowest number of weaknesses across the pandemic was May 2020, when there was a total of 1,058. There were 433 high-risk vulnerabilities, which was also the lowest amount recorded in a single month. 

In 2021, the months that saw the highest number of flaws were June (1,965) and April (1,927). Below we can see the full data for the number of weaknesses throughout the lockdown periods in 2021.

Products being targeted by cyber actors

There are several methods cyber actors can use to infiltrate an individual or business’s cyber network, using a range of techniques to bypass security measures. Through deeper analysis of the products and types of servers being targeted, we are able to more accurately display the products most often bypassed by malicious cyber actors.

It’s also interesting to note any trends that emerged during the pandemic, to see if any specific products were targeted more frequently by cyber actors that coincide with lockdown and people working remotely.

Sourcing data from the Cybersecurity & Infrastructure Security Agency (CISA), the most frequently exploited products throughout 2021 include Microsoft Exchange Servers, which are taken advantage of in a number of ways, such as remote code execution, security feature bypass and elevation of privilege. 

Other Microsoft services, such as Microsoft Windows Print Spooler and Microsoft MSHTML, have also been exploited with the ProxyLogon vulnerability being taken advantage of by remote code execution. 

Vendors such as SonicWall saw exploits such as CVE-2021-20038 defined as ‘a stack-based buffer overflow vulnerability.’ This exploit affected products such as its SMA 100 series. 

PulseSecure was also the target of security bypasses, the vendor was exploited by ‘an unauthenticated remote attacker who can send a specifically crafted URI to perform an arbitrary reading vulnerability’. The following major products were affected:

• Accellion FTA
• Atlassian Confluence
• Apache Log4j 
• Citrix products 
• Fortinet products 
• Microsoft Exchange
• Microsoft Netlogon Protocol (ZeroLogon)
• PulseSecure Connect Secure
• SonicWall products 
• VMware vSphere Client
• VMware vCenter
• Zoho ManageEngineAD Selfservice Plus

In the future, companies can aim to improve their cybersecurity through the adoption of the CIA Triad model. This concept draws on three key components when integrating new products as a business.

• Confidentiality – Guaranteeing data is protected through the use of passcodes or two-factor authentication
• Integrity – Ensuring data is maintained to guarantee continued protection and build trust between product and user
• Availability – Keeping servers maintained and online to allow users to utilise the product when needed.

Final thoughts

Overall, it was no surprise to see a rise in cyber attacks throughout the pandemic. As many were forced to work from home and many businesses began to operate outside the office, it left more people vulnerable to them.

It was interesting to see the specific products being targeted and alarming to see multiple Microsoft products being the subject of intense exposures by cyber actors. 

Analysis of data from the months throughout the pandemic is useful for spotting any trends in cyber attacks. With the first lockdown introduced in late March 2020, it was intriguing to see an immediate rise in cyber attacks throughout April. There was a rise of 422 additional vulnerabilities within a month of the lockdown being introduced and the mass migration from offices to home working occurred.

Based upon Cyphere’s analysis of vulnerabilities during the pandemic, the vulnerability management approach followed by organisations must be proactive in nature. It includes tactical patch management, regular gap analysis and remediation, and incident procedures. 

The following is our list of recommendations for organisations considering comprehensive vulnerability management. 

• Commission penetration testing assessment to identify hidden issues such as misconfigurations, exploitable threats related to known vulnerabilities, assess the attack surface and cyber hygiene in detail.
• Regular vulnerability assessments for internal and external infrastructure at least every quarter. If external expertise and resources are required, utilise managed cyber security services.
• Monitoring of endpoints, networks and entire estate along with relevant logging controls.
• Test incident response procedures to ensure your organisation is ready to respond in the fastest time possible by limiting an attack and reducing its impact.

Sources

• https://nvd.nist.gov/
• https://www.cisa.gov/uscert/ncas/alerts/aa22-117a