Nearly a quarter of exploits sold on the cybercriminal underground are more than three years old
Twenty two percent of exploits for sale in underground forums are more than three years old, according to new research from global cybersecurity firm Trend Micro.
The company released new research urging organisations to focus patching efforts on the vulnerabilities that pose the greatest risk to their organisation, even if they are years old.
"Criminals know that organisations are struggling to prioritise and patch promptly, and our research shows that patch delays are frequently taken advantage of," says Tony Lee, head of consulting at Trend Micro, Hong Kong and Macau.
"The lifespan of a vulnerability or exploit does not depend on when a patch becomes available to stop it," he says.
"In fact, older exploits are cheaper and therefore may be more popular with criminals shopping in underground forums," Lee says.
"Virtual patching remains the best way to mitigate the risks of known and unknown threats to your organisation," he states.
The Rise and Fall of the N-day Exploit Market in Cybercriminal Underground report reveals several risks of legacy exploits and vulnerabilities, including:
- The oldest exploit sold in the underground was for CVE-2012-0158, a Microsoft RCE.
- CVE-2016-5195, known as the Dirty Cow exploit, is still ongoing after five years.
- In 2020, WannaCry was still the most detected malware family in the wild, and there were over 700,000 devices worldwide vulnerable as of March 2021.
- 47% of cybercriminals looked to target Microsoft products in the past two years.
The report also reveals a decline in the market for zero-day and N-day vulnerabilities over the past two years. This is being driven in part by the popularity of bug bounty programs, like Trend Micro's Zero Day Initiative, and the rise of Access-as-a-Service the new force in the exploit market.
Access-as-a-Service has the advantages of an exploit, but all the hard work has already been done for the buyer, with underground prices starting at $1000USD.
According to the report, tthese trends are combining to create greater risk for organisations.
"With nearly 50 new CVEs released per day in 2020, the pressure on security teams to prioritise and deploy timely patches has never been greater and it's showing," says Lee.
"Today, the time to patch averages nearly 51 days for organisations patching a new vulnerability.
"To cover that gap in security protection, virtual patching is key," he says.
"It is based on intrusion prevention technology and offers a hassle-free way to shield vulnerable or end-of-life systems from known and unknown threats indefinitely."