Tenable Research: Publicly Known Vulnerabilities Increased in 2020

Common vulnerabilities and exposures (CVEs), or publicly known security vulnerabilities, jumped again last year,  according to new Tenable research.

This led to some of the worst-ever cyberattacks.

From 2015-2020, the number of reported CVEs increased by nearly 37% per year. The 18,358 CVEs reported in 2020 represent a 6% increase over the 17,305 reported in 2019 and a 183% increase over the 6,487 disclosed in 2015.

Prioritizing which vulnerabilities warrant your attention is more challenging than ever, and not all vulnerabilities are created equal.

Summer was the high point for CVEs last year, according to Tenable.

Ransomware Gangs Active in 2020

Satnam Narang is staff research engineer at Tenable. He said the three VPN vulnerabilities in Citrix, Pulse Secure and Fortinet were alarming. That’s because they underscores the lack of cyber hygiene in place for many organizations.

And it wasn’t just COVID-19 that made 2020 unique for cybercrime, he said.

Tenable’s Satnam Narang

“A seed was planted in December 2019 when the Maze ransomware gang launched a leak website, where stolen data were used to name and shame their victims into paying the ransom demand,” Narang said. “In 2020, a total of 18 ransomware gangs launched leak websites of their own, underscoring just how successful this newfound extortion tactic has become.”

Additionally unique was the news of further experimentation by one of these ransomware groups, he said. It not only extorts victims through their leak website, but also launches distributed denial of service (DDoS) attacks against their websites.

“An organization’s website is the primary vehicle for communication,” Narang said. “And during an incident like a breach, it becomes the destination for customers to get up-to-date information. This DDoS attack eliminates that avenue of communication, putting added pressure on the victim to pay the ransom demand.”

Zero-Day Vulnerabilities

Tenable identified 29 net-new zero-day vulnerabilities disclosed in 2020. Of those, more than 35% were browser-related vulnerabilities, while nearly 29% were within operating systems.

From January-October, 730 publicly disclosed events resulted in over 22 billion records exposed.

Among industries, health care led at 25%, followed by education at 13%. Health care breaches alone accounted for nearly 8 million records exposed. Government and technology were also frequent targets

Ransomware was by far the most popular attack vector in 2020.

“One thing that surprised us when analyzing the data around breaches was the fact that nearly a quarter of the breaches we reviewed had no root cause associated with them,” Narang said. “This was an unexpected finding for our team.”

The research highlights just how dynamic and expansive the corporate attack surface is, he said.

The threats organizations faced in 2020 aren’t going to disappear; in fact, they’re likely to get more frequent and damaging.

“Many of these organizations are turning to MSSPs to help understand these threats and, ultimately, thwart them,” Narang said. “This is an opportunity for MSSPs and other security providers to serve as trusted advisers, helping clients secure their increasingly complex environments.”

More Vulnerabilities Expected This Year

Many of the trends observed are likely to remain in place, Narang said.

“We expect 2021 to be another banner year for vulnerability disclosures across the spectrum,” he said. “And unpatched vulnerabilities will continue to pose a problem for organizations as a favorite vector for bad actors.”

If and when organizations move their workforces back to the office, the systems and infrastructure spun up to support the remote workforce will be targeted if they’re not adequately dismantled or kept up to date, Narang said.

“Ransomware continues to remain the most serious threat to businesses, as cybercriminals’ extortion tactics have proven to be a lucrative endeavor,” he said. “Breaches will remain a problem for many organizations, as we expect to see more attacks linked to third parties and supply chains.”