Cyber insurance firm Coalition has predicted that there will be 1,900 average monthly critical Common Vulnerabilities and Exposures (CVEs) in 2023, a 13 per cent increase over 2022.
The predictions are a part of the company’s Cyber Threat Index, which was compiled using data gathered by the company’s active risk management and reduction technology, combining data from underwriting and claims, internet scans, its global network of honeypot sensors, and scanning over 5.2 billion IP addresses.
The 1,900 CVEs would include 270 high-severity and 155 critical-severity vulnerabilities, the report said. The predictions are based on data collected over the last ten years.
For most CVEs, the time to exploit is within 90 days of public disclosure, while the majority of exploits take place within the first 30 days, the Coalition report said.
“We built this prediction using a Seasonal AutoRegressive Integrated Moving Average model. We analysed vulnerability and seasonality data from the last 10+ years to predict the number, type, and criticality of new CVEs we might observe in 2023. Based on our modelling, we expect the number of vulnerabilities will continue to rise,” Coalition said.
Coalition’s honeypots observed 22,000 cyber attacks to develop an understanding of attackers’ techniques.
94 per cent of organisations have at least one unencrypted service
About 94 per cent of organisations scanned in 2022 had at least one unencrypted service exposed to the internet, the research noted. Remote Desktop Protocol (RDP) is still cyber attackers’ most commonly scanned protocol, which shows attackers continue to prefer leveraging old protocols with new vulnerabilities to gain access to systems.
Elasticsearch and MongoDB databases have a high rate of compromise, with signals showing that a large number have been captured by ransomware attacks, the report said.
The use of unauthenticated databases increased in 2022, specifically Redis. This is because they are easy to use and scale, the report said.
“Many organisations may lack security focus or expertise, meaning they leave these databases misconfigured or configured with no security controls at all,” Coalition said. This leaves the data exposed to the internet, making these organisations more likely to have their data stolen and held for ransom.
Coalition recommends that organisations and their security and IT teams prioritise applying updates on public-facing infrastructure and internet-facing software within 30 days of a patch’s release and follow regular upgrade cycles to mitigate vulnerabilities in older software to prepare for the looming 2023 threats.
“Cyber security professionals must be more alert than ever to vulnerabilities that already exist within their networks and assets. Attackers are becoming increasingly sophisticated and have become experts at exploiting commonly used systems and technologies,” Tiago Henriques, Coalition’s vice president of security research, said in a note.
The CESS Predictor
This year Coalition created a new scoring mechanism for CVEs called the Coalition Exploit Scoring System (CESS).
The CESS is inspired by Exploit Prediction Scoring System (EPSS) and Common Vulnerability Scanning System (CVSS) but with a unique focus on delivering custom-built information to assist cyber insurance underwriting by measuring how likely attackers will exploit a CVE.
“Core to the system is the ability to provide security researchers and underwriters with two key pieces of information: the likelihood of exploit availability and the likelihood of exploit usage,” Coalition said. “Our goal for CESS is to create a fully transparent system, explaining exactly how we got to a certain score so that the community can help us improve.”