Which IT vulnerabilities have particularly concerned companies this year? What has changed compared to last year – and why? We present the TOP 3 critical security vulnerabilities from 2022 and highlight the current change in awareness among companies as well as effective protection mechanisms.
Strongly growing awareness of IT vulnerabilities and cyber security
After 2022 began with a red alert level for companies worldwide due to the critical Log4Shell vulnerability , which was found in many freely available software building blocks, a rethink has taken place. IT security experts at DGC’s Cyber Defense Operation Center (CDOC ) are seeing a sharp increase in awareness of the dangers of inadequate cyber security.
This is helped by the constant media coverage of costly attacks on corporations and large enterprises. It has hit home in boardrooms that cybercrime is seen as the biggest threat to corporate success. According to a recent PwC study, 42 percent of global corporations surveyed with more than $1 billion in revenue have been the target of hacker attacks in the past two years.
The IT Security Act 2.0 (IT-SiG 2.0) and the fact that the group of CRITIS companies has been expanded have also led to growing awareness. In addition to sectors such as healthcare, information technology and telecommunications, as well as finance and insurance, the waste management industry is now one of the operators of critical infrastructures. Affected companies must comply with increased legal requirements and, among other things, implement systems for attack detection by May 2023.
TOP 3 IT vulnerabilities in 2o22
Once again this year, hardly a day went by without new vulnerability reports in established security portals. But which of these vulnerabilities proved to be particularly critical for companies? And which ones could have had a devastating effect simply because they were so widespread? DGC’s CDOC team, which supports client companies in their vulnerability monitoring and defense against cyberattacks, as well as developing preventive emergency strategies, has compiled the TOP vulnerabilities from 2022:
1. IT Vulnerability: ProxyNotShell (New Proxy Hell)
- Official designation according to CVE referencing system: CVE-2022-41082 and CVE-2022-41040
- Affected systems: On premise Microsoft Exchange Server
- Ability to mitigate damage (mitigation): Patching, i.e. software update
- Software patch available: Yes, Microsoft has made a corresponding patch available in November 2022
ProxyNotShell is a relatively recent vulnerability in Microsoft Exchange servers (on-premise only). Due to the high number of users, this could have had sensitive consequences for countless companies. However, Microsoft reacted quickly with a security patch. However, since it could still take some time before this patch is implemented by all user companies, the risk of attacks has not yet been eliminated across the board. The vulnerability allows attackers to penetrate systems via remote code execution (RCE), execute malware or completely control systems. The ProxyNotShell vulnerability can also be exploited to forge server-side requests – experts refer to this as server-side request forgery (SSRF). In this case, hackers notify the backend server of a web application and get the system to send malicious requests to a target of their choice.
IT vulnerability in OpenSSL 3.0-3.0.6
- Official designation according to CVE referencing system: CVE-2022-3786 and CVE-2022-3602
- Affected systems: OpenSSL version 3.0-3.0.6
- Ability to mitigate damage (mitigation): Software update to 3.0.7
- Software patch available: Yes
The CVE-2022-3786 vulnerability within the OpenSSL software for Transport Layer Security causes the validation of certificates to fail and cause a system crash. These so-called Denial of Service (DoS) attacks make it possible to render supposedly secure websites and systems inaccessible and paralyze them – usually with the aim of extorting high ransom sums.
3. IT vulnerability in VMware vSphere
- Official designation according to CVE referencing system: CVE-2021-21980 ; CVE-2021-22049
- Affected Systems: VMWare vSphere & Browser Plugin
- Mitigation option: Update the VMWare vCenter
- Software patch available: Yes
The CVE-2021-21980 vulnerability in vSphere allows unauthorized actors to read arbitrary files. With access to port 443 of the vCenter Server, they can obtain sensitive information without authorization. Therefore, the severity of this vulnerability has been rated high with a CVSSv3 rating of 7.5. In addition, another vulnerability in the browser plugin (CVE-2021-22049) allows attackers to perform server side request forgery attacks.
The three TOP vulnerabilities from 2022 show that associated risks can generally be remedied quickly. Provided that those responsible are informed about them and the security patches provided by software manufacturers are implemented quickly – if they are already available. By comparison, another vulnerability that does not fall into the technical realm poses more risk: humans.
Increasingly important: “Weak point human”
Social engineering tactics, also known as human hacking, have become even more resourceful in 2022, often bundling cross-channel requests via email, SMS, and phone, as well as social media. In this way, cybercriminals regularly succeed in convincing employees of a targeted company to release confidential access data. At the same time, the increasingly complex malware files sent out are more difficult to detect by the systems – hackers can often be at work in systems for days or months without being observed.
Due to the advancing networking and increased home office situation, companies cannot avoid training their entire workforce to deal with social engineering attacks. Security awareness training and training measures such as phishing campaigns can make a significant contribution to closing the “human vulnerability”. Employees learn interactively and based on their own level of knowledge how to protect themselves and the company from attacks, recognize IT risks in advance and report them directly to the IT team.
Identifying and eliminating risks in good time – with 360-degree security
Company-wide IT security awareness is ideally part of a 360-degree approach , which enables a modular composition of measures. With regard to vulnerabilities, pentests for initial vulnerability identification and continuous vulnerability management are also essential. Qualified and constant vulnerability analysis using a powerful IT security tool such as cyberscan.io® gives companies a comprehensive overview of their existing IT infrastructure. This enables them to holistically assess their own risk profile, identify and eliminate threats in good time – and thus invest optimally in cyber security.
Outlook: Cyber Security and IT Vulnerabilities in 2023
According to security experts from CDOC, companies are facing a kind of IT security revolution in 2023. In view of the serious consequences of hacker attacks, the continuing professionalization of attacks, and critical vulnerabilities in widely used software products, strengthening the company’s own cyber security will become a top strategic issue with a correspondingly increased budget.
Since new vulnerabilities are difficult to predict and some existing ones will still be in circulation, decision-makers are well advised to invest in comprehensive IT protection. In this context, it is also important to consider the expertise of the service provider: In addition to powerful tools, a team of experienced IT security analysts, consultants and forensic experts should be available, for whom the confident handling of vulnerabilities and the establishment of effective IT security measures are part of their daily business.
Would you like to learn more about how IT vulnerabilities can be detected and fixed with our CDOC team and cyberscan.io®?
Contact us – we will be happy to advise you.