A Rough Patch

CVE Sharing on the Underground

Cybersixgill Threat Intelligence Report

July 1, 2021

When the Microsoft Exchange server vulnerabilities were announced in March, it reportedly took attackers only five minutes to begin scanning networks, finding out which specific systems were most vulnerable and sharing proof-of-concept codes.

While these vulnerabilities and others have been catastrophic, only one of 16 vulnerabilities is actually exploited. The mounting pressure on companies to defend themselves can leave them struggling to figure out which holes to plug first. Plugging all of them simply isn’t realistic.

In 2020, there were 18,325 CVEs reported and classified in the National Vulnerability Database (NVD), which provides a CVSS score based on the severity level of a CVE. Through the first six months of 2021, the amount of CVEs is anticipated to exceed the 2020 number.

For security teams, sifting through and patching all those CVEs is an almost insurmountable task. In Cybersixgill’s 2021 Cyber Threat Intelligence Survey, 37% of CISOs said that “intelligence monitoring and processing” was the greatest knowledge gap and 21% voted for “vulnerability management.”

Our researchers took a look at how CVEs generate a reaction on the underground and what tools threat actors use to mount their next attack. The resulting intelligence can help companies narrow their focus and remediate vulnerabilities more efficiently.

What’s The Chatter?

Finding out what attackers are saying on underground platforms and what code they’ve shared in hopes of exploiting vulnerabilities can help prioritize where to issue patches.

The sharing of proof-of-concept scripts and coding repositories for vulnerability scanning tools can oftentimes escalate once news of the vulnerability comes out. This was the case with the Microsoft Exchange server vulnerabilities. There were 131 references for one of the four CVEs (CVE-2021-26855) in underground forums between March and May. Approximately 62% of those references were concentrated within three prominent forums.

Hacking scripts are not just circulating on the underground, but also on popular social media networks like Twitter. In the case of CVE-2021-31166, an HTTP Protocol Stack Remote Code Execution Vulnerability, which could impact software configurations in certain versions of Microsoft Windows servers, the coding repository posted in one forum was retweeted more than 600 times.

Finding The Right Score

Organizations relying on CVSS scores to prioritize vulnerabilities quickly fall behind. CVSS typically updates once or twice over the course of a CVE’s existence, which can lend to outdated scores. Moreover, the scores only reflect how severe an attack might be, not how likely it is to occur.

Additionally, sometimes there is activity on the underground before a CVSS score, such as for CVE-2021-31166. Before the NVD could even provide a score for it, the Cybersixgill Dynamic Vulnerability Exploit (DVE) Score was already in motion, taking into account trends on the underground.

The DVE Score is a more real-time look based on several factors, like where a CVE might be trending on the underground and what sources are available for threat intelligence to be collected and posted. The score also predicts the prospect of an exploit over the next 90 days, based on the previous 90 days of activity.

With the constant influx of newly published CVEs, the DVE Score can help you react faster and prioritize patching vulnerabilities with active exploits.

To learn more about how hackers react to CVE announcements, download our latest threat report:

A Rough Patch: CVEs on the Underground.