Don’t ex-Spectre media coverage to Foreshadow the most potent vulnerabilities

Data from our collection sources and our repository of intelligence reports highlight that the vulnerabilities threat actors tend to exploit are not always the ones that grab the headlines. The tendency to overhype technically innovative exploits at the expense of others that are less sophisticated but much more prevalent in the threat landscape can have real implications for vulnerability management and patching.

This inclination can often be seen in the reporting on highly original but often niche vulnerabilities and techniques.  Presentations at the Defcon cyber security conference last month, for instance, highlighted a number of new proof-of-concept attack techniques and vulnerabilities. Several of these generated considerable media coverage, including a technique for compromising water irrigation systems and a method which could potentially enable a threat actor to falsify readings for hospital patients’ vitals. Despite the interest that such proof-of-concept techniques receive, most of them are unlikely to see widespread adoption. In the majority of cases, they are simply too niche, complex or resource-intensive to be viable options for most threat actors.

A similar effect has occurred recently with several highly-publicised vulnerabilities. For example, Foreshadow, a technique affecting Intel processors, could potentially enable a threat actor to access confidential information stored on a device. However, Foreshadow (CVE-2018-3615) targets SGX (Software Guard Extensions), a feature which is not widely used. It is also too complex for most ordinary threat actors. For this reason, it has received little interest on cybercriminal forums. We illustrate this below, contrasting the number of mentions that Foreshadow generated in a representative sample on social media compared to the number of references to it on cybercriminal forums on the deep and dark web. As our data illustrates, this is similar to Spectre and Meltdown, which also affected Intel processors and were likewise much hyped by the media. As a way of contrast, in the chart below we have included three CVEs regularly exploited in campaigns and operations we have reported on.

Figure 1: Chart showing the disparity in mentions of certain vulnerabilities on social media and cybercriminal communities. The first three were evidently overhyped, as the large difference in interest shows. In Foreshadow’s case, cybercriminals barely registered any interest at all. The latter three, meanwhile, are some of the most frequently tagged CVEs in our dataset. Here, the disparity is much less noticeable. Moreover, CVE-2015-1641, which affects the ubiquitous Microsoft Word, is evidently underestimated, as it receives little attention on social media.

This disparity becomes even more stark when we compare known operations and campaigns leveraging these vulnerabilities. Whereas there have been no publicly disclosed incidents in which threat actors have exploited Spectre, Meltdown or Foreshadow, three CVEs highlighted in the chart below, which have each been exploited in numerous disclosed campaigns and operations.

Figure 2: Orpheus’ repository of intelligence reports highlights the disparity in the number of disclosed operations and campaigns that these vulnerabilities have been used in. This indicates that the utility of a vulnerability does not necessarily correlate with the amount of coverage it receives.

In contrast to Foreshadow, Spectre and Meltdown, CVE-2017-0199, affecting Rich Text Format files, CVE-2017-11882 and CVE-2015-1641 – are relatively simple to exploit. All have CVSS v2.0 scores – used to calculate the severity of vulnerabilities – of 9.3, which ranks as “high”. They are all in the ubiquitous Microsoft Office suite, increasing the prospect of a victim operating the required technology and being accustomed to receiving these weaponised filetypes via email attachments.

This tendency to overhype certain vulnerabilities often comes at the expense of focus on older vulnerabilities that remain popular with threat actors. While our reporting often notes how quickly threat actors are able to exploit newly disclosed vulnerabilities, our database of intelligence reports also highlights that in 2018, malicious actors have exploited much older vulnerabilities in a number of campaigns and operations (see below), including one which is 12 years old.


Figure 3: Orpheus’ repository of intelligence reports illustrates that older vulnerabilities can remain a threat for many years.

Patches have long been available for these vulnerabilities. Their continued persistence is likely due to the poor patch management practices of many organisations and their high CVSS scores – the majority score 9.3 out of 10 or higher. In other words, they are both exploitable and likely to have a high impact on affected systems.

This comparison highlights the way in which network defenders and dedicated vulnerability management programmes need to look beyond the hype when prioritising vulnerabilities for patching. This is why it is crucial to maintain an insight into deep and dark web forums and messaging platforms, and the code repositories which often provide cybercriminals with the tools they tend to use, to discover which techniques matter most.