Threat Trends | 3 mins

The Increasing Speed of Vulnerability Exploitation

Evidence is building that the speed at which vulnerabilities are exploited continues to drop in 2024, becoming a significant concern for organizations and security professionals. Recent events surrounding the ScreenConnect vulnerabilities (CVE-2024-1708 and CVE-2024-1709) illustrate the urgency and complexity of this challenge.

The Case of ScreenConnect

On February 19, 2024, ConnectWise, a software firm, notified its clients of two critical vulnerabilities affecting the on-premise versions of their remote management tool, ScreenConnect (versions 23.9.7 and prior). These vulnerabilities allowed attackers to bypass authentication measures, enabling them to create administrative-level accounts with system administrator privileges. With a maximum CVSS score of 10, the exploit allows attackers to carry out malicious activities, including ransomware attempts and the deployment of additional remote access tools. 

In an alarming development, Kroll's incident response team observed that the majority of their ScreenConnect cases had an initial access date of February 21, indicating that threat actors were exploiting the vulnerabilities within less than 48 hours of the original announcement. This rapid exploitation underscores the increased efficiency and preparedness of attackers. The range of threat actors leveraging these vulnerabilities varied widely, demonstrating the broad appeal and accessibility of such exploits.

The company has since released a patch in version 23.9.8, urging all on-premise users to upgrade immediately. Instances hosted in the cloud were automatically patched, and license restrictions were lifted to ensure all users could apply the patch.

The Broader Trend of Exploitation Speed

Publically available data from well-known security vendors, Qualys and Mandiant, indicates that time-to-exploit has been steadily decreasing for some time. Rapid exploitation leaves organizations with an ever-shrinking window to defend against potential threats, underscoring the critical need for swift and proactive security measures. 

The Qualys Threat Research Unit (TRU) has observed a concerning trend in the exploitation of high-risk vulnerabilities. Their 2023 analysis reveals that the mean time to exploit vulnerabilities stands at approximately 44 days. However, this average conceals the true urgency of the situation, with many vulnerabilities being exploited almost immediately after publication. In fact, Qualys found that 25 percent of vulnerabilities were exploited on the day they were published, highlighting a significant shift in the tactics of attackers.

Mandiant's research further corroborates this trend, noting that the average Time-to-Exploit (TTE) has shrunk to 32 days in 2021-2022, down from 44 days in 2020 and 63 days in 2018-2019. This decreasing window of opportunity for defenders poses a formidable challenge. Mandiant also observed that 51% of vulnerabilities first disclosed in 2021 and 2022 eventually had publicly available exploit code, which often accelerates the exploitation process.

The Dual Nature of Public Exploit Code

Public exploit code serves as a double-edged sword. While it aids defenders in understanding and mitigating vulnerabilities, it also provides a roadmap for less experienced attackers to exploit these vulnerabilities. This dual nature makes it crucial for organizations to act swiftly and decisively upon the disclosure of vulnerabilities.

The range of vulnerabilities exploited by attackers is extensive, spanning systems and applications such as PaperCut NG, MOVEit Transfer, various Windows operating systems, Google Chrome, Atlassian Confluence, and Apache ActiveMQ. This diversity highlights that no application is beyond the reach of determined attackers. Notably, 32.5% of 206 sample high-risk vulnerabilities in 2023 were found within networking infrastructure or web applications—areas that are traditionally challenging to secure with conventional methods.

Acting fast is key

The increasing speed of vulnerability exploitation demands a proactive and vigilant approach from organizations and security professionals. The ScreenConnect incident serves as a stark reminder of how quickly attackers can capitalize on vulnerabilities. As the window for response continues to shrink, it is imperative for organizations to stay ahead of emerging threats through timely patching, continuous monitoring, and leveraging the expertise of seasoned security researchers.

The ability to respond quickly to vulnerabilities is not just a best practice but a necessity for maintaining a robust security posture. Hadrian’s platform is maintained by ethical hackers, constantly updating it with the latest exploits and zero-day intelligence, in order to detect vulnerabilities in record time. 

Newsletter sign up

Get insights directly to your inbox

Subscribe to our newsletter for blog recaps, fresh tips, insights, and resource downloads.

Newsletter Example