Last updated at Mon, 28 Mar 2022 12:30:00 GMT
Every year, our research team at Rapid7 analyzes thousands of vulnerabilities to understand root causes, dispel misconceptions, and explain why some flaws are more likely to be exploited than others. By continuously reviewing the vulnerability landscape and sharing our research team’s insights, we hope to help organizations around the world better secure their environments and shore up vulnerabilities to keep bad actors at bay.
Today, we are proud to share Rapid7’s 2021 Vulnerability Intelligence Report, which provides a landscape view of critical vulnerabilities and threats and offers expert analysis of attack vectors and exploitation trends from a truly harrowing year for risk management teams. The report details 50 notable vulnerabilities from 2021, 43 of which were exploited in the wild. We also highlight a number of non-CVE-based attacks, including several significant supply chain security incidents.
In this post, we’ll take a big-picture look at the threat landscape in 2021 and reinforce key ways for organizations to protect themselves against high-priority vulnerabilities. For more insights and in-depth technical analysis, download the full report now.
2021 attack trends
As many security and IT teams experienced firsthand, 2021 saw notable increases in attack volume, urgency, and complexity. Many of 2021’s critical vulnerabilities were exploited quickly and at scale, dwarfing attacks from previous years and giving businesses little time to shore up defenses in the face of rapidly rising risk. Key findings across the 50 vulnerabilities in this year’s report include:
- A 136% increase in widespread threats over 2020, due in part to attacker economies of scale, like ransomware and coin mining campaigns
- A significant rise in zero-day attacks
- Lower time to known exploitation (TTKE) — a decrease of 71% year over year
When a vulnerability is exploited by many attackers across many different organizations and industries, Rapid7 researchers classify that vulnerability as a widespread threat. In one of the year’s more jarring trends, 52% of 2021’s widespread threats began with a zero-day exploit. These vulnerabilities were discovered and weaponized by adversaries before vendors were able to patch them. A much higher proportion of zero-day attacks are now threatening many organizations from the outset, instead of being used in more targeted operations. 85% of the zero-day exploits in our 2021 data set, like the Microsoft Exchange ProxyLogon vulnerabilities and Log4Shell CVE-2021-44228, were widespread threats from the start.
Additional themes from 2021 included an increase in driver-based attacks and injection exploits, as well as ongoing threats to software supply chain integrity. In the full report, our team also enumerates high-level vulnerability root causes and attacker utilities to help readers understand which vulnerabilities may offer easy exploitability or deep access for attackers.
Examining today’s threat landscape
In summary, the threat landscape in 2021 was frenetic for many businesses. Not only was the world still grappling with the COVID-19 pandemic, which continued to put pressure on staffing and budgets, but security teams faced a rise in attack complexity and severity. Widespread attacks leveraging vulnerabilities in commonly deployed software were endemic, ransomware prevalence increased sharply, and zero-day exploitation reached an all-time high.
While this may sound grim, there is some good news. For one thing, the security industry is better able to detect and analyze zero-day attacks. This, in turn, has helped improve commercial security solutions and open-source rule sets. And while we would never call the rise of ransomware a positive thing for the world, the universality of the threat has spurred more public-private cooperation and driven new recommendations for preventing and recovering from ransomware attacks.
These are just a few examples of how the threat landscape has evolved — and how the challenges vulnerability risk management teams face are evolving along with it. We recommend prioritizing remediation for the CVEs in this year’s data set.
How to manage risk from critical vulnerabilities
At Rapid7, we believe that research-driven context on vulnerabilities and emergent threats is critical to building forward-looking security programs. In line with that, organizations of all sizes can implement the following battle-tested tactics to minimize easy opportunities for attackers.
- Asset inventory is the foundation of any security program. Responding quickly and decisively to high-urgency threats requires knowing which technologies you use across your stack, how they are configured, and who has access to them.
- Limit and monitor your internet-facing attack surface area. Pay particular attention to security gateway products, such as VPNs and firewalls.
- Establish emergency zero-day patching procedures and incident response playbooks that go hand-in-hand with regular patching cycles.
- Conduct incident response investigations that look for indicators of compromise (IOCs) and post-exploitation activity during widespread threat events in addition to activating emergency patching protocols.
- Employ in-depth security measures to protect your development pipelines from supply chain attacks. These pipelines are often targets — as are developers.
These are only some of the fundamental ways you can layer security to better protect your organization in the face of widespread and emergent threats. Many of the CVEs in our report can be used in concert with other vulnerabilities to achieve greater impact, so make sure to prioritize remediation of the vulnerabilities we’ve identified and implement control and detection mechanisms across the whole of your environment. We strongly recommend prioritizing remediation for the CVEs in this year’s data set.
Read the 2021 Vulnerability Intelligence Report to see our full list of high-priority CVEs and learn more about attack trends from 2021.
- CVE-2021-4191: GitLab GraphQL API User Enumeration (FIXED)
- Log4Shell 2 Months Later: Security Strategies for the Internet's New Normal
- Dropping Files on a Domain Controller Using CVE-2021-43893
- The Big Target on Cyber Insurers' Backs