2020 VULNERABILITY AND THREAT TRENDS Mid-Year Update RESEARCH REPORT About This Report All information and data in this report without explicit reference is provided by the Skybox® Research Lab, a team of security analysts who daily scour data from dozens of security feeds and sources as well as investigate sites in the dark web. The Research Lab validates and enhances data through automated as well as manual analysis, with analysts adding their knowledge of attack trends, cyber events and TTPs of today’s attackers. Their ongoing investigations determine which vulnerabilities are being exploited in the wild and used in distributed crimeware such as ransomware, malware, exploit kits and other attacks exploiting client– and server–side vulnerabilities. This analysis is incorporated in Skybox® Security’s vulnerability management solution, which prioritizes the remediation of exposed and actively exploited vulnerabilities over that of other known vulnerabilities. For more information on the methodology behind the Skybox Research Lab and to keep up with the latest vulnerability and threat intelligence, visit www.vulnerabilitycenter.com. References to figures from this year refer to data sets from January 1 through June 30, 2020. CONTENTS Executive Summary 4 Key Findings 5 Results 6 Vulnerabilities and Exploits 7 20,000+ New Vulnerability Reports Likely in 2020 7 Middle-of-the-Pack Severity Could Create Major Risks 9 50% Increase in Mobile OS Vulnerabilities 10 Business Apps Join Ranks of Most Vulnerable Products 11 Microsoft Inherits Vulnerabilities as it Moves to Edge Chromium 13 Threats and Malware 14 New OT Advisories Increase 14 New Ransomware and Trojan Samples Soar 15 How COVID-19 has Emboldened Criminal Use of Ransomware 16 Insights 17 Attackers Target Critical Infrastructure 18 Multi-Vendor Vulnerabilities Maintain a Strong Presence 19 Public Sector Fears Increase Over Legacy Windows Vulnerabilities 20 Recommendations 21 Establish Risk–Based Vulnerability Management 22 Strengthen Cloud Network Security 23 Mitigating Risk of Ransomware 24 Protect Your OT Network 25 Conclusion 26 About Skybox Security 27 3 EXECUTIVE SUMMARY The COVID–19 crisis has made a significant impact on the cybersecu- rity landscape. The sector’s existing challenges — including the cyberse- curity skills shortage, under–resourced security programs and increas- ingly fragmented estates — have been exacerbated as organizations scramble to enable their remote workforce and secure expanded network perimeters. While this critical work has been taking place, cybercriminals and nation–state threat actors have been working hard to capitalize on the chaos. The 2020 Vulnerability and Threat Trends Report Mid-Year Update shows how criminals have taken advantage of the disruption caused by the pandemic. While organizations were vulnerable and distracted, hackers developed new ransomware samples and advanced existing tools to attack critical infrastructure — including vital research labs and health care organizations. The sophistication of the malware and methods used by attackers over the first half of 2020 highlight just how complex cybersecurity management has become. Add to this the 20,000 new vulnerabilities likely to be reported in 2020, and it’s clear that the burden placed on security teams is only going to increase — even if we manage to enter a post–COVID reality later this year. If organizations do not have full visibility over their entire security environment, and if they are unable to focus remediation on their most exposed vulnerabilities, then they could fall victim to attack at a time when business continuity, brand trust and fiscal stability are paramount. The report emphasizes the need for organizations to adopt risk–based strategies so that they can manage the mass of new vulnerability reports and deal with heightened threat levels. It is only through gaining full and unerring network visibility, modeling the environment and analyzing exposure that organizations will be able to gain the insight and focus that they need to emerge from the pandemic unscathed. 4 KEY FINDINGS 20,000+ New Vulnerability Reports Likely in 2020 Over 9,000 new vulnerabilities have been reported in the first six months of 2020 (a 22–percent increase on reports published over the same period in 2019), and we are on track to see more than 20,000 new vulnerabilities this year — a new record. This will be a figure that defines the complex landscape within which security professionals operate. 50% Increase in Mobile Vulnerabilities Highlights Dangers of Blurring Line Between Corporate and Personal Networks Vulnerabilities on mobile OSs increased by 50 percent, driven solely by Android flaws. This rise has come at the same time as home networks and personal devices increasingly intersect with corporate networks as a result of the move towards a mass, remote workforce. These trends should focus the need for organizations to improve access controls and gain visibility of all ingress and egress points to their network infrastructure. Ransomware and Trojans Thrive During COVID–19 Crisis The creation of new ransomware and malware samples has soared during the COVID–19 crisis, a time that has also seen a significant increase in exploits taking advantage of Remote Desktop Protocol (RDP). These tools are enabling cyberattackers to capitalize on individual concerns and take advantage of overwhelmed security teams. Attacks on Critical Infrastructure Adding to the Chaos Attacks on national infrastructures, pharmaceutical firms and health care companies have increased as criminals become emboldened by chaos spurred by the pandemic. These attacks have added to the turbulence and could hamper countries’ abilities to respond to the health crisis. 5 RESULTS 6 VULNERABILITIES & EXPLOITS 20,000+ New Vulnerability Reports Likely in 2020 The first half of 2020 saw a major increase in new vulnerability reports (9,799 in 2020 compared to 7,318 in 2019, representing a 34–percent increase). This figure also exceeds the previous high reported in the first six months of 2018 (8,485) and indicates a record–smashing tally for 2020. Extrapolating forward from previous years’ trends, it is likely that more than 20,000 vulnerabilities will be assigned in 2020. While possible that all new vulnerabilities may not be published, annotated and analyzed by the National Vulnerability Database (NVD) until years later, the likelihood of hitting the watershed 20,000 figure reaffirms the uphill battle that security teams across the world are having to fight: making sense of which vulnerabilities pose the greatest risk to their organization. 20,000 18,000 16,000 14,000 12,000 10,000 16,512 17,307 8,000 14,644 6,000 9,799 4,000 6,494 6,449 2,000 0 2015 2016 2017 2018 2019 2020 Total per published year Total per ID year >1.5 years late FIG 1 | New CVEs by year and the year those vulnerabilities were identified. 7 25,000 20,000 15,000 10,000 5,000 0 2011 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2012 2013 2014 2015 2016 2017 2018 2019 2020 FIG 2 | CVEs allocated by the MITRE Corporation per year from 2000 through 2019. Dotted line is assuming exponential growth in 2020. The ramp–up in vulnerabilities between 2016 and It’s important to remember that higher vulnerability 2017 can be seen in this context as a continuation counts don’t necessarily mean that technology is of an upward trend that began years earlier. At the becoming less secure; rather, the more likely same time, the number of vulnerabilities whose scenario is that more efforts are being put into publish date was more than a full year after its ID vulnerability research by vendors and third parties. year increased by two orders of magnitude — from However, higher vulnerability counts can further 54 to 2825 — between the first halves of 2016 and complicate an organization’s prioritization and 2017, then settled down to just over 1000 in 2018 remediation processes. To deal with the inevitable H1, and continued along that trajectory with 377 in increase of vulnerability occurrences within an 2019 H1. These facts taken together suggest that organization, security programs need to have there was substantial catching–up in processing established processes to contextualize vulnerabilities older vulnerabilities beginning in 2017, which has based on exposure, exploitability and other factors since leveled out. to keep remediation focused on critical risks. 8 Middle–of–the–Pack Severity Could Create Major Risks Although organizations are naturally inclined to prioritize the remediation of The need for an intelligent and more automated approach to remediation is evident when looking at critical– and high–severity vulnerabilities the spread of CVSS scores by category. The severity before medium–severity instances, this spread for new vulnerabilities reported in the first generic approach to prioritization could six months of 2020 looks very similar to 2019’s allow attackers to take advantage of any figures. Vulnerabilities with a high severity score exposed medium vulnerabilities. Criminals compose 42 percent of the total vulnerability count, know that medium–severity flaws can sit with medium–severity vulnerabilities following unpatched within an organization’s behind with 40 percent of the total. Critical– severity vulnerabilities make up 15 percent of all systems for a long period; depending on new reports. where these flaws exist, they could give an attacker access to a critical asset or enable lateral movement. 100% 1,495 90% 1,140 While CVSS scores are useful for 80% understanding the properties of a 70% 4,115 vulnerability in isolation, they are created 60% 3,271 without contextual understanding of an 50% 40% individual organization’s security 30% environment. This is context that needs 3,877 20% 2,846 to be ingrained in the way that security 10% programs are run; security teams need to 77 199 113 0% 3 understand which of their vulnerabilities 2019 2020 are unprotected by security controls and Unknown Low Medium High Critical exposed to threat origins — regardless FIG 3 | New vulnerabilities’ CVSS scores split by severity level of CVSS score — to lower their overall risk profile.