{"id":7358,"date":"2022-03-02T07:50:44","date_gmt":"2022-03-02T14:50:44","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7358"},"modified":"2023-04-20T02:08:21","modified_gmt":"2023-04-20T09:08:21","slug":"latency-analysis-of-dhs-cisa-kev","status":"publish","type":"post","link":"https:\/\/10.42.32.162\/articles\/latency-analysis-of-dhs-cisa-kev\/","title":{"rendered":"Latency Analysis of DHS CISA KEVs"},"content":{"rendered":"

In this blog, CSW experts analyzed CISA\u2019s Known Exploited Vulnerabilities (KEV) list for latencies in publishing, exploiting, and patching to understand how fast attackers are weaponizing them for attacks.<\/strong><\/p>\n

On November 3, 2021, CISA released a directive of Known Exploited Vulnerabilities (KEVs) and advised organizations to address them within stipulated deadlines. This was followed by regular additions to the vulnerabilities list that stands at 787<\/b>\u00a0KEVs today.\u00a0 Our researchers found that 647<\/b>\u00a0vulnerabilities out of 787<\/b>\u00a0are trending in the wild with high internet and dark web chatter which is a clarion call for organizations to patch them immediately – well before the deadline.<\/p>\n

Latencies in publishing vulnerabilities and releasing patches are enabling attackers to launch crippling and devastating supply chain attacks on critical entities. In recent times, the trend of exploitation of zero-day vulnerabilities even before NVD disclosure has picked up momentum, as called out by our research in ransomware<\/a>.<\/p>\n

In this blog, we analyze the latencies and strive to find answers to the following question-<\/p>\n

\n

\u201cAre latencies in identifying, publishing, and releasing patches for vulnerabilities providing further impetus to foraging cyber attackers?\u201d<\/p>\n<\/blockquote>\n

Latencies in Vulnerabilities<\/h2>\n

Our research points to three types of latencies in vulnerabilities that can prove costly to organizations. And unfortunately, all three apply to the CISA KEVs –<\/p>\n

    \n
  1. \n

    NVD disclosure latency – The average time taken for the NVD to publish the vulnerabilities in their database<\/p>\n<\/li>\n

  2. \n

    Exploit latency – The average time taken for the weaponization of the vulnerabilities<\/p>\n<\/li>\n

  3. \n

    Patch latency – The average time taken for the patch to be released by the vendor.<\/p>\n<\/li>\n<\/ol>\n

    Our research shows that attackers typically go after all vulnerabilities irrespective of their patching status.<\/p>\n\n\n\n\n\n\n\n<\/colgroup>\n\n\n\n\n\n\n
    <\/th>\n\n

    Overall<\/p>\n<\/th>\n

    		\n

    Critical<\/p>\n<\/th>\n

    		\n

    High<\/p>\n<\/th>\n

    		\n

    Medium<\/p>\n<\/th>\n

    		\n

    Low<\/p>\n<\/th>\n<\/tr>\n<\/thead>\n

    \n

    Exploit before patch<\/p>\n<\/td>\n

    		\n

    86<\/p>\n<\/td>\n

    		\n

    44<\/p>\n<\/td>\n

    		\n

    36<\/p>\n<\/td>\n

    		\n

    6<\/p>\n<\/td>\n

    		\n

    –<\/p>\n<\/td>\n<\/tr>\n

    \n

    Same day<\/p>\n<\/td>\n

    		\n

    53<\/p>\n<\/td>\n

    		\n

    29<\/p>\n<\/td>\n

    		\n

    23<\/p>\n<\/td>\n

    		\n

    1<\/p>\n<\/td>\n

    		\n

    –<\/p>\n<\/td>\n<\/tr>\n

    \n

    Exploit after patch<\/p>\n<\/td>\n

    		\n

    175<\/p>\n<\/td>\n

    		\n

    80<\/p>\n<\/td>\n

    		\n

    82<\/p>\n<\/td>\n

    		\n

    13<\/p>\n<\/td>\n

    		\n

    –<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

    With the recent update, our analysis shows that around 11% of the vulnerabilities were exploited even before the vendor could release a patch which also ties in with our research on Zero Day vulnerabilities exploited before they made it to the NVD.<\/p>\n

     <\/p>\n

    Around 23% of the vulnerabilities were weaponized and exploited after the patch was released – which spotlights the lack of cyber hygiene.<\/p>\n

     <\/p>\n

    What jumps out of this analysis is the fact that attackers are weaponizing vulnerabilities at speeds thus far not seen and this means vendors need to react within minimum response times to stay ahead of attackers.<\/p>\n

    CVE-2021-0920\u00a0has the largest patch latency, having been exploited for almost two and a half years before a patch was released by its vendor.<\/p><\/blockquote>\n

    CVEs exploited before a patch<\/p>\n\n\n\n<\/colgroup>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
    \n

    Year<\/p>\n<\/th>\n

    		\n

    Average of Exploit latency<\/p>\n<\/th>\n<\/tr>\n<\/thead>\n

    \n

    2004<\/p>\n<\/td>\n

    		\n

    3<\/p>\n<\/td>\n<\/tr>\n

    \n

    2006<\/p>\n<\/td>\n

    		\n

    1191<\/p>\n<\/td>\n<\/tr>\n

    \n

    2007<\/p>\n<\/td>\n

    		\n

    1<\/p>\n<\/td>\n<\/tr>\n

    \n

    2009<\/p>\n<\/td>\n

    		\n

    195.6666667<\/p>\n<\/td>\n<\/tr>\n

    \n

    2010<\/p>\n<\/td>\n

    		\n

    23.66666667<\/p>\n<\/td>\n<\/tr>\n

    \n

    2011<\/p>\n<\/td>\n

    		\n

    8.5<\/p>\n<\/td>\n<\/tr>\n

    \n

    2012<\/p>\n<\/td>\n

    		\n

    211<\/p>\n<\/td>\n<\/tr>\n

    \n

    2013<\/p>\n<\/td>\n

    		\n

    82.55555556<\/p>\n<\/td>\n<\/tr>\n

    \n

    2014<\/p>\n<\/td>\n

    		\n

    104.7142857<\/p>\n<\/td>\n<\/tr>\n

    \n

    2015<\/p>\n<\/td>\n

    		\n

    37.33333333<\/p>\n<\/td>\n<\/tr>\n

    \n

    2016<\/p>\n<\/td>\n

    		\n

    63.58823529<\/p>\n<\/td>\n<\/tr>\n

    \n

    2017<\/p>\n<\/td>\n

    		\n

    81.44444444<\/p>\n<\/td>\n<\/tr>\n

    \n

    2018<\/p>\n<\/td>\n

    		\n

    86.85714286<\/p>\n<\/td>\n<\/tr>\n

    \n

    2019<\/p>\n<\/td>\n

    		\n

    93.2972973<\/p>\n<\/td>\n<\/tr>\n

    \n

    2020<\/p>\n<\/td>\n

    		\n

    85.84<\/p>\n<\/td>\n<\/tr>\n

    \n

    2021<\/p>\n<\/td>\n

    		\n

    73.76470588<\/p>\n<\/td>\n<\/tr>\n

    \n

    2022<\/p>\n<\/td>\n

    		\n

    2<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

    CVE-2006-2492 has the largest exploit latency, exploited 3 years 3 months after the vulnerability was patched by its vendor.<\/p><\/blockquote>\n

    CVEs that were patched before an exploit<\/p>\n\n\n\n<\/colgroup>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
    \n

    Year<\/p>\n<\/th>\n

    		\n

    Average of Exploit latency<\/p>\n<\/th>\n<\/tr>\n<\/thead>\n

    \n

    2004<\/p>\n<\/td>\n

    		\n

    3<\/p>\n<\/td>\n<\/tr>\n

    \n

    2006<\/p>\n<\/td>\n

    		\n

    1191<\/p>\n<\/td>\n<\/tr>\n

    \n

    2007<\/p>\n<\/td>\n

    		\n

    1<\/p>\n<\/td>\n<\/tr>\n

    \n

    2009<\/p>\n<\/td>\n

    		\n

    195.6666667<\/p>\n<\/td>\n<\/tr>\n

    \n

    2010<\/p>\n<\/td>\n

    		\n

    23.66666667<\/p>\n<\/td>\n<\/tr>\n

    \n

    2011<\/p>\n<\/td>\n

    		\n

    8.5<\/p>\n<\/td>\n<\/tr>\n

    \n

    2012<\/p>\n<\/td>\n

    		\n

    211<\/p>\n<\/td>\n<\/tr>\n

    \n

    2013<\/p>\n<\/td>\n

    		\n

    82.55555556<\/p>\n<\/td>\n<\/tr>\n

    \n

    2014<\/p>\n<\/td>\n

    		\n

    104.7142857<\/p>\n<\/td>\n<\/tr>\n

    \n

    2015<\/p>\n<\/td>\n

    		\n

    37.33333333<\/p>\n<\/td>\n<\/tr>\n

    \n

    2016<\/p>\n<\/td>\n

    		\n

    63.58823529<\/p>\n<\/td>\n<\/tr>\n

    \n

    2017<\/p>\n<\/td>\n

    		\n

    81.44444444<\/p>\n<\/td>\n<\/tr>\n

    \n

    2018<\/p>\n<\/td>\n

    		\n

    86.85714286<\/p>\n<\/td>\n<\/tr>\n

    \n

    2019<\/p>\n<\/td>\n

    		\n

    93.2972973<\/p>\n<\/td>\n<\/tr>\n

    \n

    2020<\/p>\n<\/td>\n

    		\n

    85.84<\/p>\n<\/td>\n<\/tr>\n

    \n

    2021<\/p>\n<\/td>\n

    		\n

    73.76470588<\/p>\n<\/td>\n<\/tr>\n

    \n

    2022<\/p>\n<\/td>\n

    		\n

    2<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

    An unpatched vulnerability is a perpetual threat to organizations, irrespective of whether it is patched. The sheer volume of patches that security teams need to apply needs AI-based solutions to prioritize patching cadence based on accurate threat context.<\/p>\n

    Zero-day vulnerabilities – NVD disclosure latency and patch latency<\/h2>\n

    Our Ransomware Spotlight Report<\/a> published in January 2022 highlighted the trend of ransomware groups going after zero-day vulnerabilities. All the four vulnerabilities identified now\u00a0feature as part of the CISA KEVs. Incidentally, all four\u00a0vulnerabilities indicate a case of both\u00a0NVD disclosure latency and patch latency.<\/p>\n

    \n

    CSW first warned of these vulnerabilities in 2021 Ransomware Index Reports released in August<\/a> and October<\/a> 2021.<\/p>\n<\/blockquote>\n

    The\u00a0zero-day vulnerabilities \u2014 CVE-2021-28799, CVE-2921-44228, CVE-2021-30116, and CVE-2021-20016 \u2014 started seeing exploitation by attackers before their vendors could release a patch and, in some cases, even before the vendors themselves were aware of the flaw.<\/p>\n

    QNAP: CVE-2021-28799<\/h3>\n

    A vulnerability in QNAP NAS devices came to the limelight in 2021 when attackers exploited a then unknown vulnerability in Hybrid Backup Sync applications. The Qlocker ransomware<\/a> soon after developed their exploit for the zero-day vulnerability that was patched 9 days after details of the first ransomware exploit were made public, and was added to the NVD 11 days after. The QNAP vulnerability is a classic example of\u00a0 how threat actors are scouting after weaknesses in code, taking complete advantage of patch and NVD disclosure latencies.<\/p>\n

    A snippet from\u00a0from CSW’s\u00a0Ransomware Report 2022<\/a><\/em><\/span><\/p>\n

    <\/p>\n

    <\/h3>\n

    Apache Log4j: CVE-2021-44228<\/h3>\n

    A series of vulnerabilities in the Apache Log4j logging<\/a> library shook the security world in late December 2021, and the impact is still being felt today. CVE-2021-44228 was completely patched only 21 days after the vulnerability was disclosed publicly, which gave attackers enough window to jump on the wagon and compromise a series of products using the Apache library. The incident also highlighted the importance of a complete fix to vulnerabilities, with many earlier patches overridden due to lapses and misconfigurations, even as attack incidents unfolded.<\/p>\n

    A snippet from\u00a0from CSW’s\u00a0Ransomware Report 2022<\/a><\/em><\/span><\/p>\n

    <\/p>\n

    Kaseya: CVE-2021-30116<\/h3>\n

    The Kaseya supply chain incident<\/a> in July 2021 resulted in a massive impact with a series of third-party attack onslaughts. The REvil ransomware group compromised Kaseya VSA servers even as the team was working on patches for three newly identified vulnerabilities. This small gap in patch latency was sufficient for the group to wage a crippling attack<\/p>\n

    A snippet from\u00a0from CSW’s\u00a0Ransomware Report 2022<\/a><\/em><\/span><\/p>\n

    <\/p>\n

    Sonicwall SMA: CVE-2021-20016: Unidentified vulnerability<\/h3>\n

    At the start of the year 2021, a new ransomware group, FiveHands, quietly capitalized on a then-unknown vulnerability, CVE-2021-20016<\/a>. The events brought the vulnerability to the notice of its vendor, who released a patch 11 days later, by which time the CVE was weaponized and used to stealthily infiltrate organizational networks. Our research also attributes this vulnerability to the infamous DarkSide group<\/a>.<\/p>\n

    A snippet from\u00a0from CSW’s\u00a0Ransomware Report 2022<\/a><\/em><\/span><\/p>\n

    <\/p>\n

     <\/p>\n

    \n

    Three\u00a0of the vulnerabilities \u2014 CVE-2021-28799, CVE-2021-20016 and CVE-2021-30116 \u2014 were warned about by CSW much before they were added to the CISA KEVs!<\/p>\n<\/blockquote>\n

    Organizations that consider only the NVD as their single source of truth are at huge risk. While the NVD plays a crucial role as a repository of vulnerabilities, a multi-layered approach is needed to give this base data an accurate threat context. Furthermore, vendors must act fast and address identified vulnerabilities immediately, while also ensuring that their end-users are notified to prioritize their remediation efforts.<\/p>\n

    CSW\u2019s vulnerability intelligence database offers organizations timely warnings and the most comprehensive insights into vulnerabilities and the threats associated with them.<\/em><\/p>\n

    Interested to know more?<\/a>\u00a0\u00a0<\/b><\/em><\/p>\n

    Exploit Latency<\/h2>\n

    We looked at year-wise distribution of vulnerabilities and their average exploit times with respect to when they were published in the NVD. We can observe that the vulnerabilities warned as highly exploited by CISA belong more to recent years. Most importantly, the speed at which vulnerabilities are being exploited has decreased drastically on average, even after the release of a patch, with attackers exploiting vulnerabilities within days after being added to the NVD. This, again, is a warning to organizations to implement patches without delay.<\/p>\n\n\n\n\n<\/colgroup>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
    \n

    \u00a0 Year<\/p>\n<\/th>\n

    		\n

    \u00a0Average of Exploit latency<\/p>\n<\/th>\n

    		\n

    \u00a0Count of CVE<\/p>\n<\/th>\n<\/tr>\n<\/thead>\n

    \n

    2002<\/p>\n<\/td>\n

    		\n

    -70<\/p>\n<\/td>\n

    		\n

    1<\/p>\n<\/td>\n<\/tr>\n

    \n

    2004<\/p>\n<\/td>\n

    		\n

    3<\/p>\n<\/td>\n

    		\n

    1<\/p>\n<\/td>\n<\/tr>\n

    \n

    2006<\/p>\n<\/td>\n

    		\n

    1191<\/p>\n<\/td>\n

    		\n

    1<\/p>\n<\/td>\n<\/tr>\n

    \n

    2007<\/p>\n<\/td>\n

    		\n

    -4<\/p>\n<\/td>\n

    		\n

    2<\/p>\n<\/td>\n<\/tr>\n

    \n

    2008<\/p>\n<\/td>\n

    		\n

    -124<\/p>\n<\/td>\n

    		\n

    1<\/p>\n<\/td>\n<\/tr>\n

    \n

    2009<\/p>\n<\/td>\n

    		\n

    70.71428571<\/p>\n<\/td>\n

    		\n

    7<\/p>\n<\/td>\n<\/tr>\n

    \n

    2010<\/p>\n<\/td>\n

    		\n

    -29.36363636<\/p>\n<\/td>\n

    		\n

    11<\/p>\n<\/td>\n<\/tr>\n

    \n

    2011<\/p>\n<\/td>\n

    		\n

    2.5<\/p>\n<\/td>\n

    		\n

    4<\/p>\n<\/td>\n<\/tr>\n

    \n

    2012<\/p>\n<\/td>\n

    		\n

    58.7<\/p>\n<\/td>\n

    		\n

    10<\/p>\n<\/td>\n<\/tr>\n

    \n

    2013<\/p>\n<\/td>\n

    		\n

    20.95<\/p>\n<\/td>\n

    		\n

    20<\/p>\n<\/td>\n<\/tr>\n

    \n

    2014<\/p>\n<\/td>\n

    		\n

    -18.875<\/p>\n<\/td>\n

    		\n

    16<\/p>\n<\/td>\n<\/tr>\n

    \n

    2015<\/p>\n<\/td>\n

    		\n

    -13.8<\/p>\n<\/td>\n

    		\n

    20<\/p>\n<\/td>\n<\/tr>\n

    \n

    2016<\/p>\n<\/td>\n

    		\n

    12.625<\/p>\n<\/td>\n

    		\n

    24<\/p>\n<\/td>\n<\/tr>\n

    \n

    2017<\/p>\n<\/td>\n

    		\n

    30.84848485<\/p>\n<\/td>\n

    		\n

    33<\/p>\n<\/td>\n<\/tr>\n

    \n

    2018<\/p>\n<\/td>\n

    		\n

    52.32258065<\/p>\n<\/td>\n

    		\n

    31<\/p>\n<\/td>\n<\/tr>\n

    \n

    2019<\/p>\n<\/td>\n

    		\n

    60.47169811<\/p>\n<\/td>\n

    		\n

    53<\/p>\n<\/td>\n<\/tr>\n

    \n

    2020<\/p>\n<\/td>\n

    		\n

    42.64285714<\/p>\n<\/td>\n

    		\n

    42<\/p>\n<\/td>\n<\/tr>\n

    \n

    2021<\/p>\n<\/td>\n

    		\n

    3.027777778<\/p>\n<\/td>\n

    		\n

    36<\/p>\n<\/td>\n<\/tr>\n

    \n

    2022<\/p>\n<\/td>\n

    		\n

    2<\/p>\n<\/td>\n

    		\n

    1<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\n\n<\/colgroup>\n\n\n
    \n

    Here are some prominent instances where unpatched vulnerabilities were exploited by hackers.<\/p>\n