Research Report

Vulnerability and threat trends report 2022

Record-breaking vulnerabilities, rising OT security risks, and increasing
exploits demand a new approach to vulnerability management
Contents
Introduction .............................................................................................................................................................. 1

Key findings .............................................................................................................................................................3

Record-breaking growth in new vulnerabilities .................................................................................. 4

Attackers and exploits are evolving rapidly .......................................................................................... 6

OT vulnerabilities surge .................................................................................................................................... 8

De-risk IT-OT convergence ............................................................................................................................. 11

Network device vulnerabilities climb steadily .................................................................................... 13

Multistage attacks on the rise ...................................................................................................................... 14

Malware proliferates, especially cryptomining and ransomware .............................................. 15

Log4Shell spotlights supply chain risks ................................................................................................. 18

Exploitation of new vulnerabilities accelerates .................................................................................. 19

Advanced risk scoring is essential for today’s attack surface management .....................20

Shifting the paradigm: from detect-and-respond to prioritize-and-prevent .................... 22

Methodology ........................................................................................................................................................ 23
 Introduction
Gidi Cohen, CEO and founder, Skybox Security
If the events of 2021 tell us anything closed with the even more alarming discovery of
the Log4Shell vulnerability, potentially impacting
about the state of cybersecurity, it’s
hundreds of millions of devices. Between these
that you can’t fight today’s battles two bombshells came a procession of increasingly
with yesterday’s tools. The rapid damaging breaches, ranging from ransomware
attacks to industrial espionage and sabotage. No
evolution of the threat landscape has sector was safe. Even the critical infrastructure
made past approaches to vulnerability we depend on for energy, water, and food was
management outmoded, if not attacked. The average cost of data breaches hit
$4.24 million, up nearly 10% from 2020.2
downright archaic.
On top of all this, cybersecurity organizations
A phase shift was already well underway when continue to suffer from significant staffing gaps.
the COVID-19 pandemic kicked it into high gear. In recent surveys, security leaders confided that
It has led to a dramatic expansion of the attack skills shortages are making it more difficult to
surface, fueled by the headlong migration to the meet security needs and respond effectively to
cloud and the explosion of IT and OT (operational incidents.3 4 The “great resignation” has worsened
technology) assets. Public cloud usage is expected the talent shortage and led to a loss of institutional
to grow threefold in the next five years. And IDG knowledge.
predicts that there will be over 55 billion connected
devices worldwide by 2025, with 75% connected
to an IoT platform.1 Spurred by the pandemic, the
pivot to remote work and the hurried rollout of new
online services have accelerated these shifts.
Average cost of a data
At the same time, threats multiplied, and attacks breach in 2021 was

$4.24M
occurred at a cadence and scale never seen before. 2
The security industry was just absorbing the news
of the Solar Winds hack when 2021 began; the year

1
Digital Devices Took Over Our Lives In 2020: Here’s How To Stay Secure, Forbes, April 15, 2021
1 2
2021 Cost of a Data Breach Report, IBM, July 28, 2021
3
A Resilient Cybersecurity Profession Charts the Path Forward, (ISC)2, 2021
4
Global Cybersecurity Outlook 2022, World Economic Forum, January 18, 2022
 Our own data, analyzed by Skybox Research Lab
and detailed in this report, paints a vivid picture of
the new reality confronting CISOs and their teams.
The findings reveal not only how vulnerabilities
— especially in OT — are proliferating at an
unprecedented rate, but how threat actors have
gotten better and faster at capitalizing on them

Zero-day
with a range of new malware and exploits.

As a result, cybersecurity teams are defending a

larger, more porous perimeter against a growing
array of threats while struggling with greater
complexity and tighter resource constraints.
attacks
nearly doubled in 20215
Yet many organizations continue to rely on
vulnerability management methods that are slow,
labor-intensive, piecemeal, and mostly reactive.

280
It’s stunning to consider that, even as zero-day
attacks nearly doubled in 2021,5 the average
time companies need to detect and respond to
cyberattacks stretched to 280 days.6

That’s unsustainable. As the insights shared in

this report make clear, a reset is long overdue. days
Cybersecurity organizations must move beyond was the average time
the status quo to a new generation of tools and companies needed to
techniques that flip the script from firefighting detect and respond to
to prevention, from manual labor to automated cyberattacks in 20216
efficiency, and from scattershot, short-term fixes
to systematic, comprehensive, and continuous risk
reduction.

2
5
2021 has broken the record for zero-day hacking attacks, Technology Review, MIT, September 23, 2021
6
2021 Cost of a Data Breach Report, IBM, July 28, 2021
 Key findings
New vulnerabilities hit an all-time high
There were 20,175 new vulnerabilities published in 2021, up from 18,341 in
2020. That’s the most vulnerabilities ever reported in a single year, and it’s
the biggest year-over-year increase since 2018. The new vulnerabilities add
to a huge cumulative total, making it harder than ever for security teams to
prioritize and remediate issues.

OT vulnerabilities nearly double

Vulnerabilities in operational technology jumped 88%, from 690 in 2020
to 1,295 in 2021. At the same time, OT assets are increasingly connected
to networks, exposing critical infrastructure and other vital systems to
potentially devastating breaches. Attacks on OT systems have risen
precipitously, disrupting operations and even jeopardizing health and safety.

Cryptojacking and ransomware lead new malware production

The malware industry continues to churn out a wide array of malicious
software, particularly cryptojacking and ransomware programs, which
increased by 75% and 42%, respectively. These programs make it easier for
threat actors to mount attacks and turn a quick profit. They demonstrate
how nimbly malware developers respond to new market opportunities and
economic incentives.

Threat actors are exploiting weaknesses faster

The number of new vulnerabilities exploited in the wild rose by 24%. That’s a
sign of just how quickly cybercriminals are now moving to capitalize on new
weaknesses, shrinking the window that security teams have to detect and
address vulnerabilities before an attack.

3
 Record-breaking growth in
new vulnerabilities
New vulnerabilities hit an all-time high in 2021, associated vulnerabilities are climbing accordingly (see
surpassing 20,000 for the first time. In all, there were “OT vulnerabilities surge,” on page 8). Further, many
20,175 CVEs (common vulnerabilities and exposures) formerly air-gapped OT systems are now connected
published in 2021, 10% higher than in 2020. That’s the to networks and exposed to external threats without
biggest jump since 2018. The growth increased in the adequate safeguards.
second half of the year, with 10,723 CVEs published,
the most we’ve ever seen in a six-month period.

The relentless rise in vulnerabilities has been fueled in

large part by the accelerating pace of technological
New vulnerabilities over 5 years
change. Under the mantle of digital transformation
and cloud migration, enterprises have been revamping 20,175
their IT systems at a feverish clip in recent years. This 18,341
process went into overdrive during the COVID-19 17,306
16,512
pandemic as companies rushed to support remote
workers and stay-at-home customers. The breakneck 14,645
retooling has introduced new security holes much
faster than teams can find and close them. Gartner
estimates that “there is a 25-percentage-point
increase in the risk of new technologies coinciding
with COVID-19-era digital acceleration and the
rapid adoption and integration of new technologies,
services, and assets.”7

As fraught as the situation is on the IT side, things

are even more precarious in OT. The number of
OT products — especially internet of things (IoT)
products — used by enterprises is soaring, and the 2017 2018 2019 2020 2021

4
7
Top 2022 Risks, Gartner, December 10, 2021
 Vulnerabilities have more than tripled New vulnerabilities, worrisome as they may be, are just
the tip of the iceberg. The total number of vulnerabilities
over the past ten years published over the last 10 years reached 166,938 in 2021
— a three-fold increase over a decade. These cumulative
200k vulnerabilities, piling up year after year, represent an
166,938 enormous aggregate risk, and they’ve left organizations
160k struggling with a mountain of “cybersecurity debt.”8 As
CISA (the U.S. Cybersecurity and Infrastructure Security
120k Agency) highlights in its list of “Top Routinely Exploited
Vulnerabilities,” threat actors are routinely attacking
80k
publicly disclosed vulnerabilities from years past.9
50,732
40k
The sheer volume of accumulated risks — hundreds of
thousands or even millions of vulnerability instances
0
2012 2021 within some large organizations — means that security
Cumulative vulnerabilities
teams can’t possibly isolate and patch all of them.
Instead, they need to focus on the exposed vulnerabilities
that, if exploited, could cause the most significant
Many new vulnerabilities are also propagating via
business impacts.
compromised code libraries and other building blocks
— including popular open-source software — used in
the software supply chain. Some of these vulnerabilities

“
are inadvertent flaws; others are deliberately implanted
by threat actors for use in subsequent exploits, a tactic
Malicious cyber actors will most
known as “poisoning.” The vulnerable components are
incorporated into a wide array of enterprise software, likely continue to use older known
undetected by developers and customers. The Log4Shell
vulnerabilities, such as CVE-2017-11882
vulnerability, discovered in December 2021 and affecting
millions of systems, is an example of how an unintentional affecting Microsoft Office, as long as
flaw in open source software can have catastrophic
consequences (see “Log4Shell vulnerability highlights
they remain effective and systems
supply chain risks,” on page 18). remain unpatched.”
– CISA10

5
8
The rise of cybersecurity debt, TechCrunch, June 4, 2021
9-10
Alert (AA21-209A): Top Routinely Exploited Vulnerabilities, CISA, July 28, 2021
 Attackers and exploits are evolving rapidly
Concurrent with the rise in vulnerabilities, we’re seeing a rapid evolution of the threat landscape as a whole.
Cybercrime has become a vast and thriving industry, with a sprawling ecosystem of specialized goods and
services designed to enable and assist threat actors and all varieties of attack, along with an extensive
infrastructure to facilitate clandestine communication, collaboration, and financial transactions.

Rising vulnerabilities, escalating attacks

SOLARWINDS FIREEYE MICROSOFT COLONIAL PIPELINE LOG4SHELL

March December March May December
2020 2020 2021 2021 2021

Supply chain Nation-state Vulnerability Ransomware Zero-day

attack attack exploitation vulnerability

Thousands Russian 4 zero-day Widespread Most serious

of customer intelligence vulnerabilities gasoline shortages open-source
& partner agency hacked compromised and price hikes vulnerability
organizations FireEye’s ‘Red Microsoft due to panic to date;
impacted Team Tools’ Exchange Servers, buying. Colonial repercussions will
including key which it can use impacting tens Pipeline paid last for years with
government to mount attacks of thousands $4m+ in bitcoin CISA predicting
agencies & most across the world of global ransom that Log4Shell
Fortune 500 organizations will be used in
companies intrusions well into
the future

6
 Cybercriminals have become increasingly diverse. Innovative tools aren’t just making cybercrime
On one side of the spectrum, nation-state actors more accessible; they also enable a new level of
are using cyber assaults as a weapon against sophistication and stealth. Recent years have seen
geopolitical rivals. With international tensions flaring a steady rise in malware designed to facilitate
in the wake of Russia’s invasion of Ukraine, a new complex multistage campaigns and hard-to-detect
era of intensifying state-sponsored attacks may exploits such as fileless attacks (where the malicious
be at hand. Russian hackers have already targeted code is injected directly into memory, not installed
Ukraine on previous occasions, dating back to 2015, on a hard drive).
when an attack on the Ukrainian electrical grid
cut off power to 230,000 customers. The current Given all the threats and threat actors, it’s not
conflict has experts contemplating the possibility surprising that cyberattacks have become more
of full-on cyber warfare.11 CISA takes the threat of frequent, bigger, and more costly. Prominent
escalating attacks so seriously that it recently issued examples from the past few years include:
a rare “shields-up” warning, recommending that
“all organizations — regardless of size — adopt a + Zero-day attacks exploiting vulnerabilities in
heightened posture when it comes to cybersecurity Microsoft Exchange Server, impacting tens of
and protecting their most critical assets.”12 thousands of organizations.
+ Supply chain attacks targeting IT software from
At the other end of the spectrum, cybercrime is SolarWinds and Kaseya. The SolarWinds attack
attracting a growing legion of grassroots operators affected an estimated 18,000 organizations,
motivated by economic incentives. The quick money while the Kaseya attack impacted roughly 800-
to be made from exploits such as cryptojacking and 1,500 businesses.
ransomware is tough to resist, especially in parts of
+ Vital infrastructure attacks including the
the world where pay is low and legitimate career
Colonial Pipeline ransomware attack, which
opportunities are few and far between. Easy-to-use
disrupted fuel supplies in the southeastern U.S.
exploit kits and malware-as-a-service (MaaS) have
made it remarkably simple for non-experts to get
into the game and start reaping financial returns.

7
11
What Russia’s Ongoing Cyberattacks in Ukraine Suggest About the Future of Cyber Warfare, Harvard Business Review, March 7, 2022
12
Shields Up, CISA, March 2022
 OT vulnerabilities surge
As dramatic as the rise in overall vulnerabilities was New OT vulnerabilities increased

88%
in 2021, the vulnerabilities assigned specifically to
OT products grew even faster. That number nearly
doubled, from 690 in 2020 to 1,295 in 2021. In addition, 1295
2021
the number of OT advisories published by CISA
jumped 54%.

Siemens, the market leader in OT products, accounted

for 40% of the reported vulnerabilities, with 518 CVEs
in 2021. This may be in part because of Siemens’s 690
2020
broader product line (they have the biggest portfolio
of OT products), or perhaps because of the company’s
greater diligence in uncovering and disclosing
vulnerabilities.

The rising tide of OT weaknesses follows years of CVEs reported

warnings from security experts, who’ve long pointed

out that OT systems are a ticking time bomb. Designed
with weak or non-existent security controls, most OT
systems are soft targets for cyberattacks. The only
thing protecting them in the past was that they were
inaccessible to external threats because they were Top 10 OT vendors with the
air-gapped or connected only to isolated internal most new vulnerabilities
networks.
Siemens | 518 Johnson Controls | 47
That’s changed. Many systems are now connected
Hitachi | 73 Advantech | 35
to larger IT networks and the internet itself, often
Mitsubishi Electronics | 62 Rockwell Automation | 33
wirelessly. Much of this networking has taken place
without any security oversight or planning; devices Delta Electronics | 57 Philips | 28
have been brought online in ad-hoc fashion (to Schneider Electric | 50 GE | 19
allow remote management, for example — a trend
accelerated by the pandemic). Number of new vulnerabilities in 2021

8
 The explosion of IoT and industrial IoT (IIoT) OT attacks are now occurring with frightening regularity.
products, ranging from sensors to smart appliances to Examples from 2021 include:
environmental control and industrial automation systems,
has greatly exacerbated the problem. In a survey by The attack on a water treatment plant in
Forrester, security decision-makers whose organizations Oldsmar, Florida, where hackers attempted to poison
were hit by cyberattacks said IoT devices were among the the water supply with sodium hydroxide (lye).
most frequent targets.13 The ransomware attack linked to the Russia-based
DarkSide cybercrime ring that shut down the Colonial
The stakes couldn’t be higher. OT systems include Pipeline, resulting in temporary fuel shortages
critical infrastructure (energy, water, transportation, and panic buying in the southeastern U.S.
and environmental control systems) and other essential The ransomware attack by another Russia-based
equipment. Attacks on vital assets can inflict serious organization, REvil, on the world’s largest meat
economic damage and even endanger public health processor (JBS), interrupting operations.
and safety. Threat actors may sabotage or manipulate
vulnerable OT systems to cause actual physical harm or to Prompted in part by the Colonial Pipeline attack, the
extort ransoms, knowing that many companies will readily federal government has elevated OT to a matter of
pay to avoid disruptions or shutdowns. national security. In July 2021, the White House addressed
the gravity of the situation, stating that “the cybersecurity
As OT and IT networks converge, threat actors are threats posed to the systems that control and operate the
increasingly exploiting vulnerabilities in one environment critical infrastructure on which we all depend are among
to reach assets in the other. Many OT attacks begin with the most significant and growing issues confronting our
an IT breach, followed by lateral movement to access OT Nation.” The Biden administration announced a new joint
equipment. Conversely, intruders may use OT systems as public-private initiative to bolster critical infrastructure,
stepping stones to IT networks, where they can deliver including the electrical subsector, natural gas pipelines,
malicious payloads, exfiltrate data, launch ransomware water and wastewater systems, and the chemical sector.14
attacks, and conduct other exploits. Increasingly, malware
is designed to exploit both IT and OT resources.

9
13
The State of IoT Security, Forrester, July 9, 2021
14
National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems, The White House, July 2021
 “
That’s a positive development, but awareness is still
lagging in many organizations. Skybox Security’s
recent survey of OT security decision-makers revealed Attacks on
that cybersecurity risk is widely underestimated.15 For
example, 56% of all respondents were highly confident organizations in
that their organization would not experience an OT
breach in the next year, yet 83% said they had at least critical infrastructure
one OT security breach in the prior 36 months. Forty
sectors have increased
percent of all respondents said that OT is an afterthought
compared to other digital initiatives. dramatically, from
Compounding the problem is the fact that many flaws less than 10 in 2013 to
in OT systems are hidden from security teams. That’s
because most OT systems are hard or impossible to
almost 400 in 2020.
scan. At best, companies scan them infrequently (once
or twice a year) because they can’t afford to take these That’s a 3,900%
mission-critical systems offline or degrade service.
Likewise, patching many OT systems is technically increase.”
impossible or too cumbersome and costly to address
all vulnerabilities. As a result, many OT environments
are riddled with security holes, with no effective way to – According to Gartner®16
assess weaknesses, much less fix them.

A different approach is clearly needed: one that

eliminates the blind spots by providing a complete view
of the OT and IT attack surface and that also
facilitates targeted, effective remediation.

Operational technology cybersecurity risk significantly

15

underestimated, Skybox Security, December 6, 2021

10 3 Planning Assumptions for Securing Cyber-
16

Physical Systems of Critical Infrastructure,

Gartner, February 8, 2022
 De-risk IT-OT convergence
Once upon a time, operations personnel didn’t worry Most organizations don’t even have visibility into the
about cyberattacks on OT assets because such problem. They have no global view of their attack
systems consisted of stand-alone devices with no surface, with its interconnections, entry points,
connection to the outside world. The fact that many configurations, and policies. It’s not just blind spots
or most such OT products lack robust cybersecurity such as unscannable OT and network devices that
protections was not a concern because they were prevent such a cohesive view; it’s also organizational
effectively inaccessible — surrounded by a moat, as siloing between IT and OT departments and
it were. among their various teams. Often each group has
responsibility for a small piece of the puzzle, but no
Those days are long gone. Formerly air-gapped OT one has the big picture. Without full visibility, it’s
equipment is now hooked up to IT networks and the difficult to detect policy violations, vulnerabilities,
internet for purposes of monitoring, control, and misconfigurations, faulty design, or unplanned or
automation — with weak or no security controls in unauthorized changes. It’s also difficult to recognize
place. Many newer IoT products are often networked and respond to complex attacks; individual
by default, again with little or no security oversight. teams may see only isolated incidents and fail to
As Gartner explains: “Over time, the technologies recognize that these are part of a larger coordinated
that underpin critical infrastructure have become campaign.
more digitized and connected — either to enterprise
IT systems and/or to each other — creating cyber-
physical systems [CPS]. CPS are composed of both
legacy infrastructure (deployed years ago without
built-in security) and new assets, which are also
deployed full of vulnerabilities.”17 In other words, the
moat is gone, and the drawbridge is down.

11
Predicts 2022: Cyber-Physical Systems Security — Critical Infrastructure in Focus,
17

Katell Thielemann, Wam Voster, Barika Pace, Ruggero Contu, Richard Hunter, Gartner, November 17, 2021
 That’s why a modern vulnerability management attack simulation, and exposure analysis. In so
strategy must begin with a holistic view that models doing, they can identify and assess risks far more
and visualizes the entire attack surface, including accurately than was previously possible. Improved
IT and OT environments and all of the connections risk assessment, in turn, enables organizations
among them. This means going beyond active to prioritize resources and implement the most
scanning to include scanless detection techniques. effective remediations: not just patching (which
Scanless detection expands coverage by correlating may be impossible or impractical) but also applying
asset information from generic CMDB parsers and methods that reduce exposures and shrink the
patch management repositories with updated attack surface while maintaining uptime. Examples
vulnerability data from threat intelligence sources. of such measures include segmenting networks
The result is continuous non-intrusive discovery or disconnecting OT devices where connections
on non-scannable assets (routers, switches, and aren’t necessary; adjusting configurations; enforcing
sensitive OT devices) and fills in the gaps between policies; and applying IPS (intrusion prevention
active scan events on scannable assets. system) signatures. The goal is not just to cut off
initial breaches where possible, but also to prevent
This collected information can be analyzed in a lateral movement that enables attackers to jump
model of the entire network environment. Teams from IT to OT systems and vice versa, or from less
can use the model to conduct path analysis, critical devices to core systems.

“ The traditional network-centric, point solution security tools

originally deployed in critical infrastructure operations are no
longer adequate to account for the speed and complexity of
the emerging threat environment.”
– According to Gartner®18
12
Predicts 2022: Cyber-Physical Systems Security — Critical Infrastructure in Focus,
18

Katell Thielemann, Wam Voster, Barika Pace, Ruggero Contu, Richard Hunter, Gartner, November 17, 2021
 Network device vulnerabilities climb steadily
We tallied 933 new vulnerabilities in network
devices in 2021. The growth in network device
vulnerabilities hasn’t fluctuated much since 2018,
New vulnerabilities
when new vulnerabilities ticked up 35%. In other in network devices over 5 years
words, while vulnerabilities continue to grow, the
rate of growth at least appears to have stabilized. 1,030
That may be because network device innovation has
926 933
slowed, or because vendors are getting better at 909
detecting and eliminating vulnerabilities.

If the latter is the case, it’s a step in the right

direction, but it shouldn’t distract from the large
number of cumulative vulnerabilities in network 588
devices and the risks they pose to organizations.
The risk is magnified by the fact that, as with OT
equipment, many network devices are difficult or
impossible to scan.

The rapid deployment of VPNs to support remote

workers has contributed to the problem, leading to
configuration errors and other security failures that
opened the door to breaches. Some network device
flaws are widespread, such as a critical vulnerability
reported in 2021 in BIG-IP server appliances used by
the thousands in some enterprises. Patching them 2017 2018 2019 2020 2021
all would be onerous — and wasteful, since only a
portion of such devices are exposed. It’s therefore
critical to apply exposure analysis to triage the
problem.

13
 Multistage attacks on the rise
Increasingly, threat actors are employing multistage Such exploits, which Forrester calls “land and
attacks to circumvent defenses and burrow deeper expand vectors,”20 underscore a major weakness in
into organizations. Once restricted to the most traditional approaches to vulnerability management.
sophisticated hackers, these chained attacks can Such approaches often focus on high- and critical-
now be carried out even by relative novices, thanks severity vulnerabilities, assuming that lower severity
to readily available exploit kits and MaaS that enable flaws can’t do much harm. But in reality, multistage
inexperienced hackers to execute complicated campaigns often exploit less severe vulnerabilities to
exploits with no expertise. gain initial ingress, then escalate the attack through
lateral movement.
Typically multistage attacks begin when a threat
actor takes advantage of a stolen credential or In this threat landscape, organizations must
common vulnerability to gain initial access to a use tools that:
system such as a user workstation or network
device. Once they’ve gained a beachhead, they 1 Analyze actual exposure, enabling security
can use a series of local exploits to escalate professionals to detect and close vulnerable entry
their privileges to administrator status, conduct points (see “Advanced risk scoring is essential for
reconnaissance, and compromise high-value today’s attack surface management” on page 20).
resources such as directories and hard drives
containing sensitive information. This allows them 2 Perform path analysis to identify potential links in
to encrypt or exfiltrate critical data as part of a chained attack.
ransomware attacks.
3 Recommend effective remediations and policy

“
controls that reduce the “blast radius” even when
Some of the most widespread and devastating attacks intruders breach the perimeter.
have included multiple vulnerabilities rated ‘high,’
‘medium,’ or even ‘low.’ This methodology, known as Such measures may include applying network
‘chaining,’ uses lower score vulnerabilities to first gain segmentation, updating IPS signatures, and
a foothold, then exploit additional vulnerabilities to modifying access policies. These measures can limit
escalate privilege on an incremental basis.” lateral movement, prevent unauthorized privilege
escalation, and stop intruders in their tracks.
– CISA Directive 22-0119

14
19
Binding Cybersecurity Directive 22-01, CISA, November 3, 2021
20
It’s Groundhog Day Again—The State Of Enterprise Ransomware Defense, Forrester Blog, February 2, 2022
 Malware proliferates, especially
cryptomining and ransomware

NEW PROGRAMS

Cryptojacking Ransomware

U
P 75% 42%
in 2021
U
P
in 2021

Malware developers were busy creating a variety exploits to make a quick return with very little effort and
of new software in 2021.21 Particularly notable is the up-front investment. As the valuation of cryptocurrency
increase in cryptojacking and ransomware programs. rises, so do the miners’ profits. In fact, Bitcoin miners’
New cryptojacking programs were up 75% year over revenue increased 206% year-over-year, amounting to $15
year, while ransomware programs increased 42%. Both billion in revenue.22 The victims suffer degraded compute
cases illustrate how the malware industry is getting performance that can negatively impact productivity
better at leveraging emerging business opportunities, but may go unnoticed. Once cryptojacking malware has
providing a range of tools and services used by seasoned infected enterprise systems, it can also be repurposed
cybercriminals and inexperienced newbies alike. for other types of exploits, such as ransomware attacks.
Cryptojacking attacks have snowballed in recent years,
Cryptojacking malware highjacks unsuspecting users’ quadrupling in 2021.23
computing resources (CPUs and GPUs) for the lucrative
activity of cryptocurrency mining. Hackers can use such

15 21
Skybox Research Lab changed its malware mapping this year to focus only on malicious programs that target known vulnerabilities.
22
2022 Digital Asset Outlook Report, Block Research, February 15, 2022
23
Tales From The Cryptojacking Frontlines, CrowdStrike, October 27, 2021
 Like cryptojacking, ransomware can yield a high ROI evolves like viruses, with new variants springing
with a low barrier to entry, thanks to off-the-shelf up opportunistically in response to a changing
products and services that do the heavy lifting. In the environment.
past, such attacks required a degree of sophistication
and resources, but no longer. As one analyst observes: As pragmatic as malware producers are, it makes
“Gone are the days when every attacker had to write sense that exploit kits and malware packages include
their own ransomware code and run a unique set of tools targeting the most widespread vulnerabilities.
activities. RaaS (ransomware-as-a-service) is a pay- And that’s exactly what our findings show. The table
for-use malware. It enables attackers to use a platform on the next page lists the new vulnerabilities targeted
that provides the necessary ransomware code and by the largest number of malware programs.
operational infrastructure to launch and maintain a
ransomware campaign.”24

Cybercriminals are launching ransomware attacks

at an unprecedented rate with convenient and Notable entries on the list of new vulnerabilities
easy-to-use tools. In a survey by IDC, more than a targeted by the largest number of malware
third of global organizations said they experienced programs include:
ransomware breaches in 2021.25
+ Log4Shell: This recently discovered and nearly
ubiquitous vulnerability, first reported in
According to Forrester, “Ransomware December 2021, already had 15 malware
attacks have increased threefold since programs targeting it by the year’s end (see
2020, with attackers targeting different “Log4Shell vulnerability highlights supply chain
risks,” on page 18).
sectors and verticals in equal measure, and
+ Microsoft Exchange Server vulnerabilities: This
often going after the organizations that
is another set of widespread flaws impacting
they know will be more enticed to pay.”26 many enterprises. Some of these vulnerabilities
have been used in multistage attacks.
Interestingly, we found that new malware is
+ Pulse Connect Secure vulnerability: This is an
increasingly targeting more recent vulnerabilities
example of a flaw that contributed to the rise in
(vulnerabilities reported in the last three years).
VPN attacks in 2021, underscoring the need for
This indicates that malware developers are moving
better network device security.
more swiftly to exploit the latest weaknesses. Often
this is accomplished by simply tweaking existing
malware to perform new exploits. In effect, malware

16
Ransomware trends, statistics and facts in 2021, TechTarget, November 2021
24-25

The State of Ransomware Attacks and Defenses, Forrester Research, February 2022
26
 No. of malware
CVE Name of the vulnerability programs targeting
the CVE

CVE-2021-44228 Apache Log4j Critical Remote Code Execution Vulnerability (Log4Shell) 15

CVE-2021-26855 Microsoft Exchange Server Remote SSRF Vulnerability 11

CVE-2021-27065 Microsoft Exchange Server Remote Arbitrary File Write Vulnerability 11

CVE-2021-26857 Microsoft Exchange Server Remote Code Execution Vulnerability 7

CVE-2021-26858 Microsoft Exchange Server Remote Arbitrary File Write Vulnerability 7

CVE-2021-34523 Microsoft Exchange Server Elevation of Privilege Vulnerability 7

CVE-2021-34473 Microsoft Exchange Server Remote Code Execution Vulnerability 7

CVE-2021-22893 Pulse Connect Secure Remote Code Execution Vulnerability 7

CVE-2021-26084 Atlassian Confluence Remote Code Execution Vulnerability (Confluenza) 6

CVE-2021-31207 Microsoft Exchange Server Security Feature Bypass Vulnerability 6

17
 Log4Shell spotlights supply chain risks
Each year seems to bring news of some new Log4Shell highlights the growing danger posed
cybersecurity threat that shatters all previous by open-source software and the supply chain.
precedents in its scope and potential impact. In Vulnerable or malware-infected components can
2020, it was the Solar Winds attack. In 2021, it was make their way into widely used software products
Log4Shell. First reported in December, Log4Shell is in ways that are hard to detect and extremely
a critical vulnerability in a piece of Java-based open- difficult to root out. Such was the case with the
source logging software known as Log4j, managed Solar Winds hack, and so it is with vulnerable Log4j
by Apache Software Foundation. libraries tucked away in a multitude of enterprise
software, with no quick and efficient way to find,
The discovery of Log4Shell sent shockwaves much less fix, all of them.
through the cybersecurity community, not only
because of the criticality of the flaw — which allows Using traditional, active scanning to find all instances
any remote attacker to take control of internet- of the vulnerability and then applying patches
connected devices running the software — but everywhere is monumentally time-consuming and
because of its ubiquity. Log4j is used in countless costly. Fortunately, it’s also unnecessary. Scanless
enterprise products and web applications, putting detection can be used to identify affected assets
hundreds of millions of devices at risk. “This without the cost and performance impacts of active
vulnerability is one of the most serious that I’ve seen scanning, and exposure analysis can pinpoint the
in my entire career, if not the most serious,” said Jen typically small subset of devices that are actually
Easterly, director of CISA.27 susceptible to attack. Security teams can then
apply appropriate mitigation measures such as
Hackers were quick to exploit the vulnerability. configuration changes or network segmentation to
According to one source, there were more than a stem the risks even before patches are applied or in
million Log4j-related attacks in the first week after cases where patches aren’t available.
the vulnerability was publicly announced,28 and as

1,000,000
documented by Skybox Research Lab and detailed
above, Log4Shell quickly became one of the top
targets of new malware.

Log4j-related attacks in the first week28

18
US warns Log4j flaw puts hundreds of millions of devices at risk, ZD Net, December 14, 2021
27

A deep dive into a real life Log4j exploitation, Check Point, December 14, 2021
28
 Exploitation of new
vulnerabilities accelerates
As new vulnerabilities appeared in 2021, threat
actors wasted no time taking advantage of them.
One hundred and sixty-eight vulnerabilities that
were published in 2021 were promptly exploited New vulnerabilities
within the year — 24% more than the number of
exploited in the wild

24%
vulnerabilities published and subsequently exploited
in 2020. In other words, threat actors and malware
developers are getting better at weaponizing recent
vulnerabilities. This puts security teams in a squeeze,
reducing the time between the initial discovery of
vulnerabilities and the emergence of active exploits
targeting them. That shrinking window means that
proactive approaches to vulnerability management
are more essential than ever. in 2021

19
 Advanced risk scoring is essential for
today’s attack surface management
As the attack surface broadens, it’s more crucial Attackers are increasingly taking advantage of this
than ever for security teams to quickly and fact, going after lower-severity vulnerabilities as the
accurately identify the greatest risks and prioritize first step in sophisticated multistage campaigns.
remediation efforts accordingly. Conventional CISA made this point recently, explaining that “the
approaches that focus primarily on the severity of Common Vulnerability Scoring System (CVSS)
vulnerabilities as measured by CVSS (the common base score does not account for if the vulnerability
vulnerability scoring system) miss the mark. No is actually being used to attack systems… Known
matter how severe a vulnerability is, it may be safe Exploited Vulnerabilities should be the top priority
from attack because it’s not exposed or because for remediation. Based on a study of historical
there are no active attempts to exploit it. On vulnerability data to 2019, only 4% of the total
the other hand, even a low- or medium-severity number of vulnerabilities have been exploited in the
vulnerability can constitute a serious risk if it’s wild. Rather than have agencies focus on thousands
readily accessible to threat actors and is being of vulnerabilities that may never be used in a real-
actively exploited. world attack, BOD [Binding Operational Directive]
22-01 shifts the focus to those vulnerabilities that
are active threats.”29

“ Enterprise attack surfaces are expanding. Risks associated with the use of
cyber-physical systems and IoT, open-source code, cloud applications, complex
digital supply chains, social media and more have brought organizations’
exposed surfaces outside of a set of controllable assets. Organizations must
look beyond traditional approaches to security monitoring, detection and
response to manage a wider set of security exposures.”

– According to Gartner®30

20
GARTNER is a registered trademark and service mark of
Binding Cybersecurity Directive 22-01, CISA, November 3, 2021
29
Gartner, Inc. and/or its affiliates in the U.S. and internationally
Gartner Press Release, “Gartner Identifies Top Security and Risk Management Trends for 2022”, March 7 2022
30
and is used herein with permission. All rights reserved.
 Security teams need an objective framework for Exposure analysis is paramount, yet it’s missing
gauging the actual risk that any given vulnerability from conventional risk scoring approaches.
poses to their organization. This requires the use Exposure analysis identifies vulnerabilities and their
of a rigorous scoring system that can be used to exploitability potential and correlates this data
prioritize remediation efforts and allocate precious with an enterprise’s unique network configurations
resources where they’re most needed. That means and security controls to determine if the system
calculating risk scores for assets based on four is potentially open to a cyberattack. This process
critical variables: includes path analysis, which maps all the possible
paths that packets can take across an enterprise’s
1 Measured CVSS severity networks (including complex hybrid networks) —
taking account of the policies, security controls,
2 Likelihood of exploitation
ports, protocols, and applications that affect such
3 Exposure level based on security controls and movement. Path analysis, in turn, enables attack
configurations in place on the network simulation, which applies advanced algorithms
to explore potential attack scenarios and reveal
4 Importance of the asset the degree to which various assets might be
compromised.

This level of analysis and simulation is only possible

when disparate data repositories are normalized and
brought together into a multidimensional network
model, including patch and asset management
systems, vulnerability data, threat intelligence feeds,
and cloud and network device configurations.

21
 Shifting the paradigm: from detect-
and-respond to prioritize-and-prevent
The trends described in this report point to an 2. Precise prioritization: Vulnerability data is
inescapable conclusion: Traditional vulnerability incorporated into a network model. This data is then
management strategies are wholly out of step with analyzed to reveal exposures. Exposures, severity,
contemporary realities. Approaches centered on exploitability, and asset importance are analyzed
scanning and patching are too slow, too scattershot, too together to compute an exact risk score that allows
laborious, and too costly. They fail to catch many actual rigorous prioritization.
threats while squandering valuable resources on false
alarms. As a result, security professionals are fighting a 3. Targeted mitigation and remediation: Automated
rearguard battle against a growing array of threats and tools identify and recommend effective, practical
adversaries. measures to address and reduce risks. These
measures go well beyond patching and include
It’s time to give the advantage back to the defenders. configuration changes, network segmentation, and
That means turning the tables and changing the more. This enables organizations to prevent or limit
dynamic: attacks (including zero-day attacks) even when
From reactive to proactive patches are impractical or unavailable.

From siloed to holistic 4. Ongoing oversight: Automated tools assist security

From severity-focused to risk-centric personnel in implementing and maintaining
From manual to automated remediation. The tools automatically generate
tickets, track performance versus SLAs (service-
From intermittent to continuous level agreements), keep teams apprised of changes
requiring updates, and ensure that issues are
There’s a prescriptive blueprint for doing this. It’s called
promptly addressed.
vulnerability lifecycle management, and it has four key
parts: The lifecycle approach transforms vulnerability
management from a sporadic, patchwork process to a
1. Holistic discovery: Vulnerability data from all assets
continuous and comprehensive one. Most importantly,
(including IT, OT, and cloud) and every corner of
it enables organizations to move from reaction to
the network is aggregated. This requires scanless
prevention — no longer stuck responding to threats after
detection in addition to active scanning. The result
the fact but prepared for whatever may come.
is a 360-degree view of the attack surface.
22
 Methodology
All of the findings in this report, unless otherwise
noted, are based on data from Skybox Research The Skybox database has
Lab, the threat intelligence division of Skybox. The
Skybox Research Lab has been at the forefront in
information on more than
analyzing the latest cyber vulnerabilities and threats
130,000 vulnerabilities in
for over a decade. The lab delivers comprehensive,
actionable, and timely threat intelligence roughly 14,000 products,
that powers Skybox’s vulnerability and threat
management solution and enables our customers to including:
discover, prioritize, and remediate risks.
+ Server and desktop operating
Our team of security analysts continuously monitors systems
dozens of security sources, tracking and analyzing
tens of thousands of vulnerabilities on thousands of + Business and desktop applications
products, along with the latest data on exploits and + Networking and security
malware taking advantage of these vulnerabilities. technologies
Drawing on this research, the team identifies the
vulnerabilities most likely to impact our customers’ + Developer tools
networks and assets. These vulnerabilities are
combined with critical contextual information
+ Internet and mobile applications
on whether and how the vulnerability has been + IIoT devices
exploited, the prevalence of the vulnerability, the
malware that exploits it, the damage it can inflict, + Industrial control system (ICS) and
and optimal approaches to remediation. All of supervisory control and data
this information is incorporated in a proprietary acquisition (SCADA) devices
database used in our product and by Skybox
customers.

23
 Most of the statistics and findings in this report are based specifically on the intelligence in the Skybox database. In a few
cases, we’ve used other sources such as the National Vulnerability Database (NVD) instead, as explained below.

Overall vulnerabilities Vulnerability severity

Overall vulnerability counts are based on new The vulnerability severity rating used in this report is part
vulnerabilities reported in the NVD. The age of of our risk modeling methodology (CVSS V3 compliant),
vulnerabilities is based on the publication date in the which takes a variety of parameters into account. The
NVD. For example, vulnerabilities are counted as “new” in CVSS base score ranges from 0 to 10.
2021 if they were published in the NVD during that period.
Network device vulnerabilities
OT vulnerabilities To track network device vulnerabilities, we’ve specifically
When counting OT vulnerabilities, we consult CISA, looked at vulnerabilities in firewalls, routers, switches,
the most authoritative source of OT vulnerability data. network appliances, and their operating systems. We’ve
The OT vulnerabilities in this report are based on new deliberately excluded other OT systems such as cameras
vulnerabilities shared by CISA in 2021. and industrial control systems, since those are covered
separately in the OT section of this report.
New malware
To identify new malware, our security analysts Exploits in the wild
continuously monitor new cybersecurity advisories and When counting new exploits in the wild, we’ve focused
other sources. The data on the rise of malware in this specifically on exploits targeted at new vulnerabilities,
report is extrapolated from these daily intelligence feeds. drawing on the intelligence collected in the Skybox
In this report, we focus specifically on malware that database.
exploits known vulnerabilities.

24
About Skybox
Over 500 of the largest and most security-conscious enterprises in the world rely on
Skybox for the insights and assurance required to stay ahead of dynamically changing
attack surfaces. At Skybox, we don’t just serve up data and information. We provide
the intelligence and context to make informed decisions, taking the guesswork out of
securely enabling enterprises at scale and speed.

Our security posture management platform delivers complete visibility, analytics,

and automation to quickly map, prioritize, and remediate vulnerabilities across your
organization. The vendor-agnostic platform intelligently optimizes security policies,
actions, and change processes across all corporate networks and cloud environments.
With Skybox, security teams can focus on the most strategic business initiatives while
ensuring enterprises remain protected.

Interested in speaking with an expert to help

solve your greatest security challenges?

Contact us.
skyboxsecurity.com

© 2022 Skybox Security