2024
Roskomnadzor has launched a "Security Scanner" to search for critical vulnerabilities on the Runet. 26 thousand problems have already been found
Roskomnadzor discovered more than 26 thousand critical vulnerabilities in the Russian segment of the Internet using the Security Scanner system, which has been operating in test mode since 2024. This was announced on October 24, 2024 by the director of the Center for Monitoring and Management of the Public Communications Network (CMU SSOP) of Roskomnadzor Sergey Khutortsev. Read more here.
US authorities warn of holes in Veeam software - they are used to attack ransomware viruses
On October 17, 2024, the US Cybersecurity and Infrastructure Security Agency (CISA) reported the discovery of a dangerous vulnerability in Veeam software. The breach is exploited by cybercriminals to inject ransomware virus victims into the IT infrastructure. Read more here.
Hackers encrypted the industrial company's infrastructure with an unrecoverable Windows flaw
Pro-Ukrainian cybercriminals disabled IT infrastructure the Russian an industrial company using a flaw. Windows We are talking about the well-known since 2022 lack of interaction operating system with digital signatures of drivers. This was announced Solar by "" on August 26, 2024. More. here
Hackers have been seizing Cisco switches for years because of a hole in equipment from the plant
On July 1, 2024, Cisco announced the discovery of a zero-day vulnerability in its NX-OS operating system, which is used on Nexus series switches. It is known that attackers have used this gap for years to seize control of the network equipment of the American manufacturer. Read more here.
US authorities: Hackers have been using Oracle's leaky software for illegal mining of cryptocurrencies for many years
In late May 2024, the Infrastructure and cyber security Protection Agency (CISA) USA reported that Chinese hackers had been exploiting vulnerabilities in software Oracle for illegal mining for years. cryptocurrencies Moreover, attackers are constantly improving their methods, which makes them difficult to detect and protect against intrusions. More. here
MTUSI experts investigated Downfall vulnerability in Intel processors
processors In families Intel released over the past eight years, vulnerability Downfall was found, allowing attackers to steal personal data users, including bank keys enciphering and violate privacy. Among the victims were individuals, companies and. data centers TAdviser Representatives told about this MTUSI on January 16, 2024. The university's specialists information security tested the Downfall vulnerability and presented a report on the consequences it leads to. More. here
2023
Only 14% of vendors quickly fix vulnerabilities found by security researchers
Positive Technologies experts analyzed their own experience of interacting with vendors in the field of vulnerability disclosure. So, in 2022-2023, 57% of vendors promptly responded to the company's researchers, while only 14% of all software manufacturers released updates in an optimally short time.
For the first time, security flaws that the software manufacturer does not know about and for which there are no fixes yet are called zero-day vulnerabilities. As soon as the vendor learns of such a flaw, it becomes extremely important to release a fix in a timely manner, as delays allow attackers to increasingly exploit such vulnerabilities in their attacks.
The number of discovered vulnerabilities is constantly growing: in 2023, their number (28,902) exceeded the previous two years by 42% and 14%, respectively. In addition, each hack leak costs business more and more: the average cost of a leak, according to, over the to data IBM past three years has grown by 15%, reaching 4.45 million. In dollars USA this regard, building a trusting and transparent relationship between software providers and information security researchers is of particular importance for strengthening protection.
Delay in responsible disclosure information of vulnerabilities is fraught with an increase in the number of attacks on: supply chains in the first three quarters of 2023, the number of incidents caused by attacks of this type doubled compared to the figures for the entire 2022.
Positive Technologies adheres to the principles of coordinated disclosure in the event of vulnerabilities in vendor products. With this format of responsible disclosure, not only researchers and the software manufacturer participate in the process, but also regulators and organizations that act as intermediaries in cooperation with suppliers.
Positive Technologies researchers from the PT SWARM team for 2022 and 2023 identified more than 250 vulnerabilities (70% of which are high and critical danger levels) in the software and hardware of 84 vendors. At the same time, we are faced with software manufacturers of completely different levels of maturity. Only one in four of them on the site has contacts for communication in such a case and at least some policy of responsible disclosure. We urge vendors to build transparent and mutually beneficial cooperation with cybersecurity specialists, because only together you can identify and fix software vulnerabilities in a timely manner, resist the onslaught of cybercrime in the interests of all parties. Responsible companies primarily benefit from such cooperation: they increase the level of security of their solutions, create a positive image, attract new customers and strengthen competitiveness in the market, "said Fedor Chunizhekov, senior analyst at the Positive Technologies research group. |
Cisco admitted the existence of a critical hole in its OS that cannot be fixed and asks users to turn off the equipment
On October 16, 2023, Cisco announced the discovery of a critical hole in its IOS XE operating system, which is used on various network devices. The flaw is actively exploited by cybercriminals, and a fix for it does not exist as of the specified date. Read more here.
FSTEC: Software developers regularly violate the requirements for the timing of the elimination of vulnerabilities in their products
Russian software developers regularly violate the FSTEC requirements for the time frame for eliminating vulnerabilities in their products. The department told about this in October 2023. They noted "insufficient software support efficiency."
We are talking about compliance with the requirements of the regulations for including information about software vulnerabilities in the "Information Security Threats Data Bank" FSTEC, explains Kommersant"." If the manufacturer software receives information about a potential vulnerability in its software, it must take measures to eliminate it within 30 or 60 days, depending on the level of threat, for example, develop an edit (patch) for the software.
The head of the board of directors of BASEALT, Alexei Smirnov, in a conversation with the publication, said that violation of the FSTEC regulations could threaten to revoke the certificate from the software. This will close for the developer the possibility of supplying its products to state customers who require certified software from suppliers. Factory5 General Director Denis Kasimov noted that Russian software developers "work out incidents" and make changes to the software twice as long as foreign ones. He believes that this state of affairs is associated with an increased demand for domestic products, which is why the load on technical support specialists at all levels has increased.
Some companies may not have enough specialists to work out security incidents, and someone simply does not have money for this, Elena Baranova, development director of Auriga LLC, told the newspaper.
To reduce the time for processing a request, separate service teams are required, which may be too expensive for Russian developers, she said. |
According to Roman Karpov, head of the information security committee of the Domestic Software Association, a significant share of Russian software certified by FSTEC is based on open source code, the elimination of vulnerabilities in which "is not carried out by a specific developer, but by a community."[1]
Juniper Networks has admitted to the holes in its OS and devices. Hackers use this in DDoS attacks
On August 29, 2023, the American company Juniper Networks, a manufacturer of equipment for Internet providers, corporations and the public sector, announced the identification of a number of vulnerabilities in its network devices. Holes allow cybercriminals to organize DDoS attacks. Read more here.
US authorities have warned of holes in Citrix software. Because of them, hackers can easily steal company data
On August 16, 2023, the US Cybersecurity and Infrastructure Protection Agency (CISA) reported that network attackers were attacking enterprises through vulnerabilities in Citrix software. Holes, among other things, allow you to steal confidential information. Read more here.
Two-thirds of Fortinet's firewalls were leaky. You can easily run arbitrary code on them
More than two-thirds of Fortinet's in-service firewalls contain a critical vulnerability that cybercriminals can exploit to seize control of hardware. This is stated in a study by Bishop Fox, the results of which were released on June 30, 2023. Read more here.
Roskomnadzor creates a platform to combat vulnerabilities of Russian sites
A scanning system is being created on the basis of the Public Communications Network Monitoring and Management Center, which will identify vulnerabilities in the information security of Russian services, providing an opportunity to quickly eliminate them. The press service of Roskomnadzor announced this on June 9, 2023. Read more here.
Microsoft admitted to hacking the Outlook email service. European government, military and energy companies hit
In mid-March 2023, Microsoft announced a prolonged cyber attack targeting the Outlook email service. The victims of hackers were government, military, transport and energy companies in Europe. Read more here.
Critical holes found in Schneider Electric controllers used in airports, power and mining
In mid-February 2023, researchers at Forescout announced the discovery of a number of serious vulnerabilities in Schneider Electric production process management systems. Read more here.
2 Years Hackers Exploit VMware Software Hole for Successful Ransomware Virus Attacks
In early February 2023, the French Computer Emergency Response Team (CERT-FR) warned of the spread of a new ransomware program dubbed ESXiArgs. It penetrates victims' systems through a hole in VMware server software. Read more here.
Signal messenger hole allows anyone to view attachments in correspondence
At the end of January 2023, John Jackson, a specialist in information security, published a study on two vulnerabilities he discovered in the Signal messenger desktop client. They were designated CVE-2023-24069 and CVE-2023-24068. Read more here
US authorities warned of dangerous holes in Siemens and GE industrial software
On January 17, 2023, the US Cybersecurity and Infrastructure Protection Agency (CISA) announced the discovery of dangerous vulnerabilities in industrial software (software) manufactured by Siemens, GE Digital and Contec. Read more here.
Hackers gain control over TP-Link devices
On January 11, 2023, the US National Institute of Standards and Technology (NIST) released two security bulletins with information about vulnerabilities in the Netprom and TP-Link routers. Attackers, in particular, can seize full control of the device. Read more here.
Motherboard scrap that allows you to run the OS without checking their security
On January 13, 2023, Polish IT security researcher Dawid Potocki reported the discovery of a dangerous vulnerability in about 300 MSI motherboard models. The flaw allows you to download any image of the operating system, regardless of whether it has a digital signature. Read more here.
How hackers attack governments through Fortinet's leaky VPN devices
In mid-January 2023, it became known that cybercriminals are exploiting the SSL zero-day vulnerability FortiOS VPN to carry out attacks on government organizations and targets related state to structures. More. here
Attackers gain control over devices due to the existence of critical router holes
On January 11, 2023, Cisco announced that there were two critical vulnerabilities in the web management interface of some of its small business routers. Holes allow a remote attacker to seize control of the device. Read more here.
2022
Microsoft recognizes the hole in Exchange servers through which ransomware viruses spread
At the end of December 2022, information security researchers from CrowdStrike announced the discovery of a new set of ProxyNotShell exploits for attacks on Microsoft Exchange servers. Read more here.
Netgear acknowledged the existence of critical holes in Nighthawk routers
On December 28, 2022, Netgear released a software update for a number of its Wi-Fi routers: the update fixes a dangerous vulnerability that could be exploited by cybercriminals, including for the purpose of organizing DDoS attacks. Read more here.
A hole was found in Google speakers that allows anyone to listen to users
On December 26, 2022, it became known about a serious vulnerability in Google Home smart speakers, which allows an attacker to gain remote access to the device and eavesdrop on user conversations. Read more here.
Open trend vulnerabilities found in 100% of companies investigated
Open trend vulnerabilities were found in 100% of the companies studied. data Such on November 22, 2022, the company announced. The Positive Technologies top 10 most common trend vulnerabilities in companies include known product vulnerabilities, Microsoft most of them in components OS Windows and packages. Microsoft Office More. here
New method of cyber attack on spacecraft created
On November 15, 2022, the University of Michigan (USA) announced the discovery of a serious vulnerability in network technology, widely used in critical infrastructures such as spacecraft, aircraft, energy production systems and industrial control systems. Read more here.
British National Information Security Center recognizes scanning of all Internet devices in the country
In early November 2022, Britain's national cybersecurity center launched a program that will constantly scan every Internet-connected device located in the United Kingdom for vulnerabilities to help the government respond to zero-day threats. Read more here.
2021
Discovery of 28,695 thousand vulnerabilities in software around the world
In 2021, a total of 28,695 thousand vulnerabilities were discovered in software products around the world. Such data analysts from Risk Based Security in their report in mid-February 2022.
28 thousand vulnerabilities are a record in history, and the indicator clearly demonstrates the degree of risk faced by organizations and security teams around the world. Risk Based Security predicts that the number of disclosed vulnerabilities in the future will continue to grow from year to year.
According to experts, a large number of vulnerabilities had to be reviewed and updated as updated information about solutions, links and additional metadata appeared, which once again demonstrates the stressful workload that information security teams face on a daily basis.
Despite the fact that the situation with the disclosure of vulnerabilities improved after the start of the COVID-19 coronavirus pandemic, there were no festive fanfare. Now everything is returning to normal, which means that the number of vulnerability disclosures is likely to return to its usual track, increasing every year. Updating previous records is vital because if the vulnerability is uncovered and not agreed with the provider, it could be days, months or even years before a solution comes, said Brian Martin, vice president of vulnerability analysis at Risk Based Security. |
In the event that an organization or company has implemented protection, it is still critical to install a patch or update when it becomes available. If the software is not updated with subsequent remediation information, then the company misses important data necessary to actually reduce the risks associated with vulnerabilities within the business.[2]
The number of vulnerabilities in software turns out to be a record fifth year in a row
On December 8, 2021, the National Institute of Standards and Technology (NIST) published a study in which it reported a record number of software vulnerabilities. Moreover, the maximum is updated for the fifth year in a row.
In 2021, a total of 18,378 vulnerabilities were identified. The number of reported high-risk vulnerabilities decreased to 3,646 in 2021, compared to 4,381 in 2020. The number of registered medium-risk vulnerabilities was 11,767, and the number of low-risk vulnerabilities was 2,965, which is more than in 2020.
Researchers at Redscan Cyber Security analyzed the numbers in this report and found that on average, NIST recorded about 50 weaknesses and vulnerabilities, or CVEs, each day through 2021. Of these, 90% can be used by attackers with limited technical skills, while 61% of CVEs do not require user interaction, such as clicking on a link, downloading a file, or sharing credentials.
The share of vulnerabilities that hackers do not need to use administrator privileges, etc., decreased in 2021 to 55% from 59% in 2020 and 66% in 2019. Vulnerabilities with a high privacy rating, that is, likely to have an impact on sensitive data, have declined from 59% to 53% of CVE over the past 12 months.
Unsurprisingly, new vulnerabilities outnumber 2020 in 2021, said Yaniv Bar-Dayan, co-founder and chief executive of cyber risk management firm Vulcan Cyber. - The number of vulnerabilities will increase in accordance with the pace and scale of the technologies we are introducing, and we are used to expecting and taking into account the inherent risk in our digital life. |
If IT security groups ignore the vulnerabilities of 2020, the real number for 2021 will be cumulative, and it will become more and more difficult to defend against them, "he said. |
Bud Broomhead, CEO of Viakoo, a provider of the corporate security platform, noted that despite fewer high-risk vulnerabilities in 2021, the report is nevertheless alarming.
The real problem is how many vulnerabilities that can be exploited remain unknown that attackers could exploit, "Broomhead explained. - A record number of new vulnerabilities, coupled with the slow pace of device updates to fix vulnerabilities, means that the risk of hacking organizations is higher than ever, especially through devices connected to the Internet.[3] |