Researchers at GreyNoise Intelligence have added over 230 tags since January 1, 2022, which include detections for over 160 CVEs. In today’s release of  the GreyNoise Intelligence 2022 "Year of Mass Exploits" retrospective report, we showcase four of 2022's most pernicious and pwnable vulnerabilities. 

Activity around the Log4j remote code execution flaw, which burst on the scene in last 2021, continued apace, and has found its place in daily internet background noise along with a cadre of other “celebrity vulnerabilities”. During the initial exploitation period, every single GreyNoise sensor (over six hundred sensors handle traffic from over five thousand internet IP addresses) fielded Log4j exploit traffic, handling nearly one-million attempts within the first week alone. Attackers continue to hunt for newly exposed, vulnerable nodes, and for nodes that may have accidentally had mitigations or patches removed.

Three charts showing distributions of Log4j sensor counts, payload interactions, and unique source IPv4s throughout 2022
Log4j weekly activity in GreyNoise sensors

The Atlassian Confluence Object Graph Notation Library (OGNL) injection weakness was an especially rueful one since it gave anyone unauthenticated access to any fathomable query, and Confluence is the knowledge repository of countless organizations. Due to the way this API endpoint handles input, clever attackers used varying techniques to obfuscate exploit payloads like the one below to avoid detection:

Obfuscated and converted exploit code
Severely obfuscated Confluence weakness exploit payload

At the height of exploitation attempts, the GreyNoise sensor network saw nearly 1,000 unique IP addresses looking for exposed vulnerable nodes. We continue to see a daily average of nearly 20 unique addresses hoping for unpatched Confluence instances.

Apache httpd's path traversal and Remote code execution one-two punch may have entered the ring in 2021, but this contender made our 2022 list due to a steady increase in traversal exploit volume throughout the year (nearly 3x as many attempts as when the vulnerability first emerged on the scene). Apache’s httpd server may not have the top spot anymore, but it is still highly prevalent, and patching of legacy instances tends to be very spotty. 

The F5 Big IP iControl's REST authentication bypass made the cut for the report as it hit the sweet spot in terms of the GreyNoise Celebrity Vulnerability Hype Cycle model (which is detailed in the report): 

Circular cycle graphic showing Initial Discover, Zone of Unknown, Collective Depression, "Rush to Patch", GreyNoise Enrichment, and final destinations for new vulnerability disclosures.
GreyNoise "Celebrity Vulnerability Hype Cycle"

Finally, GreyNoise researchers took a hard look at CISA’s Known Exploited Vulnerability (KEV) Catalog releases in 2022 (through late-November):

CISA Added 548 New CVEs Across 58 Releases to Their Catalog of Known Exploited Vulnerabilities in 2022¹The addition of 226 CVEs in March was due, in part, to the war in Ukraine. A median of 36 CVEs were added monthly.

and followed up on our mid-year assessment of CISA’s overall KEV performance, noting that:

  • Keen defenders had to deal with a KEV alert on an almost weekly basis in 2022.
  • The aggression against Ukraine added many legacy vulnerabilities and the increased threat of nation-state actors into organization threat models.
  • Popular enterprise software, across many versions, made regular appearances, forcing defenders to triage KEV lists against known installed software.

GreyNoise has tags for over 100 CVEs in the 2022 component of the KEV catalog. KEV CVEs without tags are ones where we would not see internet-facing remote exploit attempts (though there are a tiny number of KEV CVEs we're in the process of developing tags for).

Out of these 100+ CVEs, GreyNoise tag creation beat CISA's CVE updates 60% of the time, and we tied these updates 5% of the time. You can now search by CVE and set up GNQL like this one we recently published that covers CISA's published list of the top CVEs most used by Chinese state-sponsored attackers. Defenders can then use the pristine block lists (updated by the hour) to either remove the noise before it has a chance to reach them, or filter out the noise from events and alerts to enable significantly faster defense.

Ready to dig in to the data?

This article is a summary of the full, in-depth version on the GreyNoise Labs blog.
GreyNoise Labs logo
Link to GreyNoise Twitter account
Link to GreyNoise Twitter account