While all the attention is focused on zero-day vulnerabilities and patching them, old unpatched vulnerabilities continue to be a threat: study

Unpatched software vulnerabilities are gifts that keep on giving for cybercriminals, even years later.

A cybersecurity firm analyzing global data from attacks blocked by its own systems over the past two months, has reported that cybercriminals have been routinely probing for unpatched vulnerabilities, sometimes years after the vulnerability was initially detected.

The study by Barracuda uncovered hundreds of thousands of automated scans and attacks per day (in its own user base), with those numbers sometimes spiking into the millions. The firm believes that cybercriminals continue to cash in on unpatched systems knowing that defenders do not always have the time or bandwidth to keep up with latest patches, which can provide a convenient way into an organization’s network.

According to Mark Lukie, Systems Engineer Manager, Barracuda (Asia-Pacific): “The study shows that cybercriminals continue to cycle through a list of known high-impact vulnerabilities to find any gaps that can let them into a network.”

Attacks in the study apparently follow the working week to stay undetected, because weekend attacks were more likely to be noticed due to less system traffic. Common attack types included reconnaissance/fuzzing, and attacks against application vulnerabilities, with attacks against WordPress being the most common, along with common injection attacks against Windows.

The most basic way that companies can improve their cybersecurity posture is via timely and safe patching, but in practice, old versions of software are still actively used. Gartner’s 2020 WAF Magic Quadrant has noted that organizations can stay protected against attacks on software vulnerabilities through solutions such as a Web Application Firewall (WAF) and measures for bot mitigation, DDoS protection, API security, and credential stuffing protection. Cloud-based offerings (WAF-as-a-Service) that integrate many of the above protection measures are also available.