You've still not patched it? Hackers are using these old software flaws to deliver ransomware

Significant vulnerabilities like Log4j have been the focus of cybersecurity staff - but that focus could be allowing attackers to slip by using older security bugs.
Written by Danny Palmer, Senior Writer

Log4j has dominated recent discussions around cybersecurity vulnerabilities, but the emergence of the Java logging library security flaw has allowed several other major exploits being abused by cyber criminals to fly under the radar, potentially putting many organisations at risk from ransomware and other cyberattacks. 

The focus on Log4j, described at the time as one of the most serious cybersecurity vulnerabilities to ever emerge, was understandably the key issue for enterprise cybersecurity teams in the final weeks of 2021. 

But cybersecurity researchers at Digital Shadows have detailed several other vulnerabilities that appeared last year – or that are even older and continue to be left unpatched and exploited – which may have been missed and continue to provide opportunities for cyber criminals. 

SEE: A winning strategy for cybersecurity (ZDNet special report) 

Failure to patch these vulnerabilities could have potentially dangerous consequences for businesses as malicious hackers exploit them to launch ransomware attacks, malware campaigns and other cyber-criminal activity. 

In total, researchers identified 260 vulnerabilities being actively exploited for attacks in the final quarter of 2021 – and a third of them, a total of 87 vulnerabilities, being used in association with ransomware campaigns. 

One set of vulnerabilities that is particularly popular with ransomware groups is ProxyShell bugs, (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) which were initially discovered in July 2021 and that allow attackers to chain Microsoft Exchange vulnerabilities to remotely execute code on unpatched servers.  

These vulnerabilities are still being exploited by several ransomware groups, including Conti, one of the most active ransomware operations of the past year. That process means that any organisation that hasn't patched ProxyShell over six months on from disclosure is at risk of falling victim to ransomware and other malware attacks. 

Another vulnerability that continues to be exploited affects QNAP Network Attached Storage (NAS) devices. The authorisation vulnerability that affects QNAP NAS running HBS 3 (CVE-2021-28799) was identified in April 2021 and was quickly exploited to deliver QLocker ransomware.  

Ransomware groups continue to target vulnerable QNAP devices almost a year on, with new forms of ransomware, including DeadBolt ransomware, taking advantage of vulnerable systems. 

But it isn't just relatively recent vulnerabilities that are exploited – researchers note that a vulnerability in Microsoft Office, which allows attackers to hijack Microsoft Word or Microsoft Excel to execute malicious code (CVE-2012-0158), is still being used to deliver ransomware attacks – and that's a decade on from disclosure.  

It's possible that organisations aren't even aware that some of these vulnerabilities exist and that unawareness could make them a prime target for cyber criminals who are happy to exploit whatever they can to launch attacks. 

"Cyber criminals are inherently opportunistic. There need not be an exotic zero-day, or similar vulnerability that 'takes up all the oxygen' in the room," Joshua Aagard, research analyst at Digital Shadows told ZDNet: attackers are often more pragmatic, grabbing hold of what works, regardless of visibility.

Patch management can be a challenging task, especially for large organisations with vast IT networks, but a coherent and timely patching strategy is one of the most effective ways to help prevent known vulnerabilities being used to launch cyberattacks. 

"Taking a risk-based approach is the most effective method of targeting vulnerabilities, which will ultimately have the most significant impact on reducing your overall cyber risk," said Aagard.


Editorial standards