According to the Cybersecurity and Infrastructure Security Agency (CISA), Microsoft products, including Windows and Exchange Server, are highly targeted, accounting for most CVEs (78) used in ransomware attacks. A recent (CISA) update incorporating ransomware-linked common vulnerabilities and exposures (CVEs) into the Known Exploited Vulnerabilities Catalog highlighted this troubling trend.

With one in five exploited CVEs now tied to ransomware attacks, it underscored the rising significance of vulnerability exploits.

The data underscored that cybercriminals increasingly exploit known vulnerabilities, necessitating a heightened focus on proactive patching and mitigation efforts.

Other vendors, including QNAP, had just nine ransomware-exploited CVEs, followed by VMware with eight and Oracle with seven.

A Striking Statistic

Callie Guenther, senior manager of cyber threat research at Critical Start, said Microsoft’s prominence on the list of vendors whose products are targeted is striking.

“The fact that more than two in five of the vulnerabilities exploited for ransomware attacks are linked to Microsoft products speaks to the ubiquity of these offerings in the enterprise,” Guenther said.

“Several factors contribute to this vulnerability prevalence, including the sheer number of Microsoft users globally and the attractiveness of targeting a widely adopted platform,” she said. “This underscores the urgency for organizations to ensure they have robust security measures in place specifically tailored to Microsoft products.”

She added that regularly monitoring emerging threats, collaborating with security communities and investing in advanced threat detection and response capabilities are essential steps to ensure a proactive defense against the evolving threat landscape.

“Prioritizing patching and mitigation efforts is paramount, considering the vast array of vulnerabilities in the CVE database,” Guenther said.

She recommended that organizations adopt a risk-based approach, focusing on vulnerabilities with known ransomware exploits that pose the highest risk to their systems and data.

In addition, organizations should build a comprehensive asset inventory, understanding the current security posture of the business.

This includes knowing where endpoints are and what EDR tools are installed, along with regular vulnerability assessments and threat intelligence updates that can aid in identifying and addressing the most critical vulnerabilities promptly.

Microsoft’s Major Market Share

Aubrey Perin, lead threat intelligence analyst at Qualys, agreed that market share is the main factor contributing to the vulnerability prevalence in Microsoft’s offerings.

“Microsoft still makes up most user’s endpoints within businesses,” she said. “Because of this ubiquity, attackers tend to target those assets more readily than other platforms.”

Perin says given that the vulnerabilities are all known and tracked by CVEs, it indicated that ransomware actors target known weaknesses because they present soft targets that take less work to exploit.

“The closest thing to a silver bullet here is ensuring you practice good cybersecurity hygiene,” she explains. “Remove depreciated software and services; if they can no longer be serviced, they should not be in your environment.”

Also important is to ensure organizations are right-sizing the environment and properly configuring security for that environment.

“Treat patching as a cybersecurity priority and not just a function of IT,” Perin noted. “When patches are released, proofs-of-concept (PoCs) are also released; this PoC can be weaponized by malicious actors.”

In Qualys’ annual TruRisk report released in March 2023, the company documented how quickly adversaries weaponize vulnerabilities, sharing that it takes them 19.5 days on average.

Even in the absence of a PoC being released, threat actors could still identify what vulnerabilities are being patched by reverse engineering the patches to identify the modified code and extrapolating the risk to realize it as a weapon.

While the official guidance dictates patching within 30 days once a CVE is on the CISA Known Exploited Vulnerabilities (KEV) list, Perin cautioned attackers aren’t going to wait to leverage known vulnerabilities.

“Businesses should likewise not wait to patch those vulnerabilities when the patch becomes available,” she said.

She said if a patch is available and the organization uses the service, it’s best to implement the patch immediately before it becomes an issue.

“If the issue exists in depreciated software, replace the software or hardware with a product that is still being maintained,” Perin added. “If the vulnerability is enabled by misconfigurations, correct the misconfigurations.”

It’s also critical to train employees not to open suspicious links and emails and to understand their role in their company’s security.

“Train employees to report oddities like being asked to authenticate after already logging in or being redirected to a page that has a suspicious URL,” she explained. “If you have locks on your doors and windows, you already understand the importance of security.”

She says if you learned that your locks could be easily picked, you would likely change them. The same is true in cybersecurity.

“Patching is like changing locks that are easily broken into, making it more difficult for the adversary to get in,” Perin said. “The good news is, unlike changing locks, patches are free.”