Before cyber attackers can wage successful malware or ransomware campaigns, they have to gain access to their target environments. In 2022, half of the Check Point Incident Response Team’s cases resulted from attackers gaining access by exploiting known vulnerabilities. By the time malicious activities—ransomware, spoofed or forged emails, malware files or unknown computer processes—became visible, attackers had already gained access and laid the foundation for a successful campaign.

2023 Top Vulnerabilities

Which vulnerabilities should you be most concerned about in 2023? Check Point Research’s 2023 Cyber Security Report describes the top vulnerabilities based on data collected by the Check Point Intrusion Prevention System (IPS) sensor network. It shows that new vulnerabilities are increasingly used—those reported in the past three years were used in 24% percent of exploitation attempts in 2022, compared to only 18% of attempts in 2021.

ProxyShell

ProxyShell is an attack chain that exploits three vulnerabilities in Microsoft Exchange Server—ProxyShell, ProxyLogon and ProxyNotShell. Combining these vulnerabilities allows unauthenticated attackers to perform Remote Code execution (RCE) on vulnerable servers. Even though these vulnerabilities were reported and patched in 2021, they’re still at the top of the most exploited vulnerabilities list in 2022 and often result in major breaches.

Follina in Microsoft Office

Even though Microsoft now disables macros in documents from external sources, attackers use specially crafted .docx and .rtf documents to download and execute malicious code even when macros are disabled or the document is in Protected Mode. Threat actors exploited Follina in unpatched systems to deploy Qbot and other Remote Access Trojans (RATs), making Follina one the most frequently used vulnerabilities discovered in 2022.

Fortinet

Two critical bugs in Fortinet products reported in October 2022 (CVSS score: 9.6) and December (CVSS score: 9.3) allow unauthenticated attackers to execute arbitrary code using specially crafted requests. The company issued updates while CISA warned of significant risk to federal organizations. Exploitation attempts of CVE-2022-40684 at the beginning of 2023 affected 18% of organizations.

The Best Prevention: Virtual Patching with a Cloud IPS

Attackers often exploit exposed Windows Remote Desktop Protocol (RDP) services and unpatched Remote Code Execution (RCE) vulnerabilities to execute commands and place malicious code in a network. Mail servers are often the weak link. Many organizations don’t deploy endpoint security or anti-ransomware products on servers for fear of compromising performance. With high numbers of vulnerabilities, network exposure and poor patch management, servers are a common open door for attackers.

Timely patching is essential—but not enough. A Secure Access Service Edge (SASE) solution, like Check Point Harmony Connect, helps prevent attackers from exploiting vulnerabilities and gaining persistence in your network. It combines four powerful capabilities in a full SASE solution.

• Cloud-based Intrusion Prevention System (IPS): A cloud IPS detects and blocks threats targeting systems and applications, including common browsers. With signature- and anomaly-based detection, a cloud IPS detects and blocks known threats, such as common vulnerabilities and exposures (CVEs), as well as OWASP Top 10 common security risks, zero-day threats, and malicious connections. It also helps organizations offload patching for hundreds or thousands of systems, servers and application software vulnerabilities. With a cloud IPS as part of Harmony Connect SASE, newly discovered vulnerabilities in browsers, applications and systems are patched virtually and automatically. A cloud IPS also stops genuine attacks in real time with high performance and minimal false positives, protecting corporate assets such as servers and applications, as well as individual user workstations with outdated browsers or software.

• Zero-Day Sandboxing: Harmony Connect SASE includes advanced sandboxing (threat emulation), which inspects files for hundreds of different indicators—common evasion techniques, file-opening macros or out-of-context services—to determine which are malicious. In the recent Next Generation Firewall (NGFW) Security Benchmark 2023 report, Miercom found Check Point Quantum Next-Gen Security Gateway technology prevented 99.7% of new malware downloads. This is the same threat prevention technology delivered by Harmony Connect SASE.
• Big Data Threat Intel and AI: Check Point ThreatCloud combines big-data threat intelligence gathered from hundreds of millions of sensors worldwide with more than 30 AI and machine learning engines to identify and block emerging threats, even never-before-seen malware that anti-virus software cannot yet detect, due to the absence of a known hash or signature.
• Full Traffic Inspection: Using a lightweight client for remote PC and Mac users, Harmony Connect SASE performs full traffic inspection across all ports and protocols, not just standard web HTTP/HTTPS(!). That means P2P file sharing, anonymizing services and consumer VPNs can be secured against malicious intent (and not just blocked altogether).

The Only Prevention-First SASE Solution: Harmony Connect

• Harmony Connect is the only prevention-focused SASE solution to successfully defend against attackers attempting to exploit vulnerabilities. It secures 55 million corporate access transactions and prevents 240,000 cyber attacks per month. Learn more:
• To secure remote users, learn more about our Secure Web Gateway
• To secure private applications and networks, learn more about our Zero Trust Network Access
• To secure branch offices, read the case study
• For a deeper dive into SASE, check out the webinar

Mor Ahuvia