There’s been a 29% increase in the number of vulnerabilities exploited by ransomware groups to compromise their targets over the past year, according to a new industry report.

The Ransomware Spotlight Year End Report was written by security vendors Ivanti and Cyware alongside CVE numbering authority Cyber Security Works. It’s compiled from multiple data sources, including Ivanti and CSW, publicly available threat databases and threat researchers and pen-testing teams.

The analysis revealed 65 new bugs associated with ransomware in 2021, totaling 288. Over a third (37%) of the newly added vulnerabilities were found trending on dark websites and subject to repeated exploitation as a result. Plus, over half (56%) of the older CVEs are still being regularly exploited, it said.

The report also highlighted that many zero-day vulnerabilities are being exploited before they’ve even had time to be published in the US National Vulnerability Database (NVD). These include ones used to compromise Kaseya (CVE-2021-30116) and the infamous Log4Shell bug (CVE-2021-44228).

The ransomware-as-a-service (RaaS) model is helping to democratize this kind of activity across the cybercrime underground. Particularly dangerous are exploit-as-a-service offerings, which allow threat actors to rent zero-day exploits from developers, the report said.

Despite recent arrests in Russia, many of these cybercrime gangs continue to be sheltered by hostile states.

Illustrating just how thriving the industry still is, the report identified 32 new ransomware variants in 2021, a 26% year-on-year increase, which brings the total to 157.

“Ransomware groups are becoming more sophisticated, and their attacks more impactful. These threat actors are increasingly leveraging automated tool kits to exploit vulnerabilities and penetrate deeper into compromised networks. They are also expanding their targets and waging more attacks on critical sectors, disrupting daily lives and causing unprecedented damage,” argued Ivanti SVP of security products, Srinivas Mukkamala.

“Organizations need to be extra vigilant and patch weaponized vulnerabilities without delays. This requires leveraging a combination of risk-based vulnerability prioritization and automated patch intelligence to identify and prioritize vulnerability weaknesses and then accelerate remediation.”

However, vulnerabilities are still not the number one threat vector for ransomware, according to Coveware.

As of Q3 2021, RDP compromise stemming from misconfiguration, and email phishing, remained the main ways to penetrate victim networks, the vendor claimed.

However, it added that vulnerability exploits were gaining popularity as an initial threat vector “as common peripheral applications get targeted, and patching cadence by enterprises lags.”

The UK’s leading cybersecurity agency has revealed details of a new initiative designed to make it easier for system administrators to root out vulnerabilities across their IT environment.

Scanning Made Easy (SME) is the work of GCHQ spin-off the National Cyber Security Centre (NCSC) and its industry collaboration initiative known as i100.

“When a software vulnerability is disclosed, it is often easier to find proof-of-concept code to exploit it, than it is to find tools that will help defend your network. To make matters worse, even when there is a scanning script available, it can be difficult to know if it is safe to run, let alone whether it returns valid scan results,” wrote the NCSC’s vulnerability management lead, “Ollie N.”

“Scanning Made Easy (SME) was born out of our frustration with this problem and our desire to help network defenders find vulnerable systems, so they can protect them.”

It’s designed to be as reliable and straightforward as possible, minimizing the false positives, which can be a significant inconvenience for time-poor IT teams.

To do so, SME is based on a collection of scripts written using the NMAP Scripting Engine (NSE), which is based on the industry-standard NMAP network mapping tool.

“The scripts are authored by our i100 partners and conform to the NCSC Scanning Made Easy Script Developer Guidelines. These set out how the scripts should be developed, as well as what they should and should not do. A summary is included with each script that describes how it will verify the vulnerability,” the NCSC continued.

“It is important that anyone running the scripts knows what they do. Thankfully, NSE makes this transparent as the script syntax is easy to read and understand.”

The tool offers far from comprehensive coverage, but the idea is that industry collaborators will write new scripts for critical and frequently exploited vulnerabilities.

The first SME script to be released scans for several Exim message transfer agent (MTA) remote code execution vulnerabilities known as “21Nails” (CVE-2020-28017 to CVE-2020-28026).

The NCSC encouraged organizations to try SME out and develop and share their own scripts with the community.

The recent travails associated with the Log4j logging utility highlighted the problem many administrators have in finding vulnerable instances of software across their environment, especially those featuring complex open source dependencies.

The UK’s leading cybersecurity agency has revealed details of a new initiative designed to make it easier for system administrators to root out vulnerabilities across their IT environment.

Scanning Made Easy (SME) is the work of GCHQ spin-off the National Cyber Security Centre (NCSC) and its industry collaboration initiative known as i100.

“When a software vulnerability is disclosed, it is often easier to find proof-of-concept code to exploit it, than it is to find tools that will help defend your network. To make matters worse, even when there is a scanning script available, it can be difficult to know if it is safe to run, let alone whether it returns valid scan results,” wrote the NCSC’s vulnerability management lead, “Ollie N.”

“Scanning Made Easy (SME) was born out of our frustration with this problem and our desire to help network defenders find vulnerable systems, so they can protect them.”

It’s designed to be as reliable and straightforward as possible, minimizing the false positives, which can be a significant inconvenience for time-poor IT teams.

To do so, SME is based on a collection of scripts written using the NMAP Scripting Engine (NSE), which is based on the industry-standard NMAP network mapping tool.

“The scripts are authored by our i100 partners and conform to the NCSC Scanning Made Easy Script Developer Guidelines. These set out how the scripts should be developed, as well as what they should and should not do. A summary is included with each script that describes how it will verify the vulnerability,” the NCSC continued.

“It is important that anyone running the scripts knows what they do. Thankfully, NSE makes this transparent as the script syntax is easy to read and understand.”

The tool offers far from comprehensive coverage, but the idea is that industry collaborators will write new scripts for critical and frequently exploited vulnerabilities.

The first SME script to be released scans for several Exim message transfer agent (MTA) remote code execution vulnerabilities known as “21Nails” (CVE-2020-28017 to CVE-2020-28026).

The NCSC encouraged organizations to try SME out and develop and share their own scripts with the community.

The recent travails associated with the Log4j logging utility highlighted the problem many administrators have in finding vulnerable instances of software across their environment, especially those featuring complex open source dependencies.

Insider threats cost organizations an average of over $15m annually to remediate last year, with stolen credentials a growing risk, according to Proofpoint.

The security vendor’s 2022 Cost of Insider Threats Global Report was compiled from interviews with over 1000 IT professionals and analysis of more than 6800 incidents across the globe.

It revealed that the cost and frequency of insider incidents are on the rise. Associated costs jumped 34%, from $11.5m in 2020 to $15.4m in 2021, while the overall volume surged by 44% over the period.

The frequency of incidents per company also increased, with 67% of companies experiencing between 21 and more than 40 incidents per year, up from 60% in 2020.

Negligence continues to account for the majority (56%) of insider threats, at the cost of nearly $485,000 per incident.

Failure to ensure devices are properly secured or patched and not following corporate security policy are typical issues that have exposed organizations over the past year. They’re especially prevalent as many employees now work from home, where it’s often harder for IT teams to enforce policy effectively.

That’s resulted in a near-doubling of credential theft incidents since 2020, at a cost to organizations of $804,997 per incident.

However, malicious intent is also a major cause of insider threats, accounting for a quarter (26%) of incidents at an average cost of $648,000 to remediate. Once again, the work-from-home (WFH) mandate has driven this trend, allowing employees more remote access to sensitive data, according to Proofpoint.

Ryan Kalember, EVP of cybersecurity strategy at Proofpoint, described people as the “new perimeter” in the fight against spiraling cyber-risk.

“Months of sustained remote and hybrid working leading up to ‘The Great Resignation’ has resulted in an increased risk around insider threat incidents, as people leave organizations and take data with them,” he argued.

“In addition, organizational insiders, including employees, contractors and third-party vendors, are an attractive attack vector for cyber-criminals due to their far-reaching access to critical systems, data and infrastructure.”

Unfortunately, current efforts to detect insider risk appear to be failing: it now takes an average of 85 days to contain an insider incident, up from 77 days in 2020.

Insider threats cost organizations an average of over $15m annually to remediate last year, with stolen credentials a growing risk, according to Proofpoint.

The security vendor’s 2022 Cost of Insider Threats Global Report was compiled from interviews with over 1000 IT professionals and analysis of more than 6800 incidents across the globe.

It revealed that the cost and frequency of insider incidents are on the rise. Associated costs jumped 34%, from $11.5m in 2020 to $15.4m in 2021, while the overall volume surged by 44% over the period.

The frequency of incidents per company also increased, with 67% of companies experiencing between 21 and more than 40 incidents per year, up from 60% in 2020.

Negligence continues to account for the majority (56%) of insider threats, at the cost of nearly $485,000 per incident.

Failure to ensure devices are properly secured or patched and not following corporate security policy are typical issues that have exposed organizations over the past year. They’re especially prevalent as many employees now work from home, where it’s often harder for IT teams to enforce policy effectively.

That’s resulted in a near-doubling of credential theft incidents since 2020, at a cost to organizations of $804,997 per incident.

However, malicious intent is also a major cause of insider threats, accounting for a quarter (26%) of incidents at an average cost of $648,000 to remediate. Once again, the work-from-home (WFH) mandate has driven this trend, allowing employees more remote access to sensitive data, according to Proofpoint.

Ryan Kalember, EVP of cybersecurity strategy at Proofpoint, described people as the “new perimeter” in the fight against spiraling cyber-risk.

“Months of sustained remote and hybrid working leading up to ‘The Great Resignation’ has resulted in an increased risk around insider threat incidents, as people leave organizations and take data with them,” he argued.

“In addition, organizational insiders, including employees, contractors and third-party vendors, are an attractive attack vector for cyber-criminals due to their far-reaching access to critical systems, data and infrastructure.”

Unfortunately, current efforts to detect insider risk appear to be failing: it now takes an average of 85 days to contain an insider incident, up from 77 days in 2020.