Don’t ex-Spectre media coverage to Foreshadow the most potent vulnerabilities
Data from our collection sources and our repository of intelligence reports highlight that the vulnerabilities threat actors tend to exploit are not always the ones that grab the headlines. The tendency to overhype technically innovative exploits at the expense of others that are less sophisticated but much more prevalent in the threat landscape can have real implications for vulnerability management and patching.
This inclination can often be seen in the reporting on highly original but often niche vulnerabilities and techniques. Presentations at the Defcon cyber security conference in August 2018, for instance, highlighted a number of new proof-of-concept attack techniques and vulnerabilities. Several of these generated considerable media coverage, including a technique for compromising water irrigation systems and a method which could potentially enable a threat actor to falsify readings for hospital patients’ vitals. Despite the interest that such proof-of-concept techniques receive, most of them are unlikely to see widespread adoption. In the majority of cases, they are simply too niche, complex or resource-intensive to be viable options for most threat actors.
A similar effect has occurred recently with several highly-publicised vulnerabilities. For example, Foreshadow, a technique affecting Intel processors, could potentially enable a threat actor to access confidential information stored on a device. However, Foreshadow (CVE-2018-3615) targets SGX (Software Guard Extensions), a feature which is not widely used. It is also too complex for most ordinary threat actors. For this reason, it has received little interest on cybercriminal forums. We illustrate this below, contrasting the number of mentions that Foreshadow generated in a representative sample on social media compared to the number of references to it on cybercriminal forums on the deep and dark web. As our data illustrates, this is similar to Spectre and Meltdown, which also affected Intel processors and were likewise much hyped by the media. As a way of contrast, in the chart below we have included three CVEs regularly exploited in campaigns and operations we have reported on.
Figure 1: Chart showing the disparity in mentions of certain vulnerabilities on social media and cybercriminal communities. The first three were evidently overhyped, as the large difference in interest shows. In Foreshadow’s case, cybercriminals barely registered any interest at all. The latter three, meanwhile, are some of the most frequently tagged CVEs in our dataset. Here, the disparity is much less noticeable. Moreover, CVE-2015-1641, which affects the ubiquitous Microsoft Word, is evidently underestimated, as it receives little attention on social media.
This disparity becomes even more stark when we compare known operations and campaigns leveraging these vulnerabilities. Whereas there have been no publicly disclosed incidents in which threat actors have exploited Spectre, Meltdown or Foreshadow, three CVEs highlighted in the chart below, which have each been exploited in numerous disclosed campaigns and operations.
Figure 2: Orpheus’ repository of intelligence reports highlights the disparity in the number of disclosed operations and campaigns that these vulnerabilities have been used in. This indicates that the utility of a vulnerability does not necessarily correlate with the amount of coverage it receives.
In contrast to Foreshadow, Spectre and Meltdown, CVE-2017-0199, affecting Rich Text Format files, CVE-2017-11882 and CVE-2015-1641 – are relatively simple to exploit. All have CVSS v2.0 scores – used to calculate the severity of vulnerabilities – of 9.3, which ranks as “high”. They are all in the ubiquitous Microsoft Office suite, increasing the prospect of a victim operating the required technology and being accustomed to receiving these weaponised filetypes via email attachments.
This tendency to overhype certain vulnerabilities often comes at the expense of focus on older vulnerabilities that remain popular with threat actors. While our reporting often notes how quickly threat actors are able to exploit newly disclosed vulnerabilities, our database of intelligence reports also highlights that in 2018, malicious actors have exploited much older vulnerabilities in a number of campaigns and operations (see below), including one which is 12 years old.
Figure 3: Orpheus’ repository of intelligence reports illustrates that older vulnerabilities can remain a threat for many years.
Patches have long been available for these vulnerabilities. Their continued persistence is likely due to the poor patch management practices of many organisations and their high CVSS scores – the majority score 9.3 out of 10 or higher. In other words, they are both exploitable and likely to have a high impact on affected systems.
This comparison highlights the way in which network defenders and dedicated vulnerability management programmes need to look beyond the hype when prioritising vulnerabilities for patching. This is why it is crucial to maintain an insight into deep and dark web forums and messaging platforms, and the code repositories which often provide cybercriminals with the tools they tend to use, to discover which techniques matter most.
Get our latest cyber intelligence insights straight into your inbox
Fill out the short form below to subscribe to our newsletter so that you never miss out on
our cyber intelligence insights and news.
Privacy Overview
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Strictly Necessary Cookies
These cookies are strictly necessary to provide you with services available through our website and to use some of its features. These must be enabled at all times, so that we can save your preferences.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
If you do not enable Strictly Necessary Cookies, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
3rd Party Cookies
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Please enable Strictly Necessary Cookies first so that we can save your preferences!
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Request Demo Access
Fill out your details below and we'll be in touch to arrange demo access for you as soon as
possible.
