2. Who am I?
- Security Researcher/Engineer/Trainer (23y)
- SELinux/MAC Evangelist (16y)
- Linux Engineer (21y)
- System Administrator(4y) at Bank.
- Antivirus Professional Engineer (3y) at Sophos.
- SIEM Professional Engineer (3y) at HP.
- Threat Intelligence /OSINT Trainer (2y) Sub-job.
CISSP #366942
3. Agenda
1. Number of CVEs since 2006-2023
○ Total, OSS CVEs
○ Breakdown OSS CVEs
2. Exploited vulnerabilities and OSS
○ Breakdown “Exploited” CVEs.
○ Compare each country sponsored attack.
○ Which phase the Threat Actor use OSS vulnerability?
3. Conclusion
4. What kind of data-source for vulnerability.
cve.org (old cve.miter.org)
● Get CVE-ID, details, and rejected info.
NIST
● CPE, CVSS, CWE info.
CISA Known Exploited Vulnerabilities Catalog (CISA KEV)
● CISA maintains the authoritative source of vulnerabilities that have been
exploited in the wild.
9. Ratio of OSS vulnerabilities (2006-2023)
- Browser
- Wordpress+Plugin
are now majority.
10. From the Ratio of OSS vulnerabilities, we can guess..
1. Recently (especially since 2022) Browser and Wordpress vulnerabilities are
increasing.
a. Basic Software (like LAMP architecture) seems to be now well
debugged.
i. Sometime we still find several Critical vulnerabilities.
b. Our IT environment(including OSS) are moving to Web-based
architecture. Then many of Web-based OSS projects are publishing
their products (and unfortunately vulnerabilities).
12. How to check the “exploited” vulnerability?
CISA KEV(Known Exploited Vulnerabilities) catalog.
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
13. Number of the “Exploited Vulnerabilities”
Number of
CVEs
Number of OSS
CVEs
OSS %
2022 24647 7336 29.80%
2023(〜Aug.) 21594 5998 27.80%
KEV-listed
CVE
KEV-listed OSS
CVE
OSS %
2022 741 120 16.20%
2023(〜Oct.) 181 47 25.90%
This is a main reason why you
need to prioritize in
“Vulnerability Management”.
14. Prioritize is important.
So, we need to “prioritize”.
0. (Basic) We are using the affected products, version.
1. “Exploited” (or “in-the-wild”) vulnerability. <- Priority High!!
2. Serious Remotely vulnerability.
3. Serious Local vulnerability.
4. … and so on.
But this is another topic. Sorry…
Let’s go back to the trend of KEV.
15. Number of the “Exploited Vulnerabilities”
Number of
CVEs
Number of OSS
CVEs
OSS %
2022 24647 7336 29.80%
2023(〜Aug.) 21594 5998 27.80%
KEV-listed
CVE
KEV-listed OSS
CVE
OSS %
2022 741 120 16.20%
2023(〜Oct.) 181 47 25.90%
OSS is around 25% in KEV.
So, who use it?
16. Categorize What CVEs are used by Which Threat Actor
TAG-22 APT24
China
Sandworm DEV-0586
CISA KEV
2022-2023
CVE
CVE
CVE
CVE
CVE
CVE CVE
CVE
CVE
CVE
CVE
Russia
Check TA
TTP(Tactics,
Techniques and
Procedures) .
CISA advisory,
and other data
source.
(OSINT)
Profile
Profile
Profile
Profile
CVE
CVE
CVE
18. OSS % for each country
Money
Motivated
China Russia DPRK Iran Not
Identify
KEV
Total
Number of
OSS_KEV_CVE
16 7 12 8 3 128 166
Total Number
of KEV_CVE
85 58 28 17 13 743 921
OSS% 18.82% 12.07% 42.86% 47.06% 23.08% 17.23% 18.02%
Government Name : Government sponsored Threat Actor.
(espionage, agitation, destroy infrastructure, etc.)
21. OSS % for each country/motivate
Money China Russia DPRK Iran Not
Identify
ALL
KEV
Number of
OSS_KEV_CVE
16 7 12 8 3 128 166
Total Number
of KEV_CVE
85 58 28 17 13 743 921
OSS% 18.82% 12.07% 42.86% 47.06% 23.08% 17.23% 18.02%
China use many of vulnerabilities, but not so love OSS… :(
This seems to be China is targeting more “closed source(windows,
etc.)” or other commercial SW/HW.
22. What kind of vulnerabilities are exploited?
Server 31 Infra 35
Client 18 Mail 6
NW 10 App 18
Server 8 Infra 3
Client 0 Mail 5
NW 0 App 0
Microsoft 26
Adobe 3
Fortinet 3
F5 2
Cisco 3
Oracle 3
Others(OSS, etc) 19
China loves to exploit Microsoft Products. :-p
Also China focus on NW devices.
Total
OSS
Products
24. OSS % for each country/motivate
Money China Russia DPRK Iran Not
Identify
ALL
KEV
Number of
OSS_KEV_CVE
16 7 12 8 3 128 166
Total Number
of KEV_CVE
85 58 28 17 13 743 921
OSS% 18.82% 12.07% 42.86% 47.06% 23.08% 17.23% 18.02%
Russia also use many of vulnerabilities, and OSS vulnerabilities. :)
It seems that Russia is more targeting Government infra system which is using
OSS.
25. What kind of vulnerabilities are exploited?
Server 7 Infra 1
Client 5 Mail 9
NW 0 App 1
Server 13 Infra 14
Client 11 Mail 11
NW 4 App 3
Russia equality use any of vulnerabilities. :-p
Recently they are focusing more Mail exploit.
Microsoft 6
Adobe 0
Fortinet 1
F5 1
Cisco 2
Oracle 0
Others(OSS, etc.) 18
Total
OSS
Products
27. OSS % for each country/motivate
Money China Russia DPRK Iran Not
Identify
ALL
KEV
Number of
OSS_KEV_CVE
16 7 12 8 3 128 166
Total Number
of KEV_CVE
85 58 28 17 13 743 921
OSS% 18.82% 12.07% 42.86% 47.06% 23.08% 17.23% 18.02%
DPRK(aka North Korea) also use many of vulnerabilities including OSS
vulnerabilities. :)
28. What kind of vulnerabilities are exploited?
DPRK also equality use any of vulnerabilities, but not so much. :-)
Server 8 Infra 6
Client 11 Mail 2
NW 0 App 11
Server 4 Infra 2
Client 3 Mail 2
NW 0 App 3
Microsoft 5
Adobe 3
Zimbra 2
Others(OSS, etc.) 9
Total
OSS
Products
30. DPRK (CVE-2021-4034: Red Hat Polkit vulnerability)
Tactic Technique Description Activity
PRIVILEGE
ESCALATION
T1078 Valid
Accounts
Exploitation of CVE-2021-4034 in ‘pkexec’
known as pwnkit, to perform local
privilege escalation to root.
-
38. Conclusion
1. Published CVEs still growing up. OSS CVEs also growing up.
○ Now Browser/Wordpress+Plugin are majority of OSS vulnerabilities.
2. Threat Actor(TA) interest is different in each country;
○ Chinese TA loves Microsoft and NW devices.
○ Russian TA focusing everything, more focusing Mail exploit.
○ DPRK TA focusing everything.
3. Threat Actor target OSS vulnerabilities for attacking infrastructure.
○ Command Exec / Privilege Escalation are mostly targeted by Threat
Actor/Ransomware Gang.
39. So, what we can do?
1. Be careful about Browser, Wordpress, and several GitHub based
project vulnerability.
○ Can we enforce them to use SCA type of scanner? (GitHub Dependabot)
2. Be careful about OSS vulnerability on infrastructure because Country
sponsored Threat Actor is targeting them.
○ Many of country infrastructure now contain OSS.
3. We need to be careful for {Command Exec, Privilege Escalation,
Information Disclosure} vulnerabilities for OSS.
○ But we can’t ignore other vulnerabilities.
44. OSS % for each country/motivate
Money China Russia DPRK Iran Not
Identify
ALL
KEV
Number of
OSS_KEV_CVE
16 7 12 8 3 128 166
Total Number
of KEV_CVE
85 58 28 17 13 743 921
OSS% 18.82% 12.07% 42.86% 47.06% 23.08% 17.23% 18.02%
Everybody loves money! :-p
They are using any of vulnerability, and don’t care OSS or not.
45. What kind of vulnerabilities are exploited?
Money motivated threat actor(Ransomware Gang, etc.)
don’t care Server/Client, products, etc. :-(
Total
OSS
Products
Server 40 Infra 53
Client 39 Mail 3
NW 7 App 30
Server 8 Infra 8
Client 7 Mail 0
NW 0 App 7
Microsoft 31
Adobe 1
Fortinet 2
F5 2
Cisco 0
Oracle 4
Citrix 2
VMWare 2
Others(OSS, etc.) 74
46. OSS % in the “Exploited Vulnerabilities”
Number of
CVEs
Number of OSS
CVEs
OSS %
2022 24647 7336 29.80%
2023(〜Aug.) 21594 5998 27.80%
KEV-listed
CVE
KEV-listed OSS
CVE
OSS %
2022 741 124 16.70%
2023(〜Oct.) 181 47 25.90%
OSS ratio in the “Exploited
Vulnerabilities” are not much
different to OSS ratio in total
number of CVEs.
48. Prioritize is important.
So, we need to “prioritize”.
0. (Basic) We are using the affected products, version.
1. “Exploited” (or “in-the-wild”) vulnerability. <- Priority High!!
2. Serious Remotely vulnerability.
3. Serious Local vulnerability.
4. … and so on.