For cyberattackers, old can be new — as long as it’s relevant. That’s certainly the case with old vulnerabilities.

The 2016 Verizon Data Breach Investigations Report shows that successful exploits from the previous year targeted a large number of vulnerabilities with CVEs assigned more than five years ago.

Vulnerabilities Successfully Exploited in 2015

Many exploited vulnerabilities in 2015 are more than five years old | Source: 2016 Verizon Data Breach Investigations Report

So why the reliance on old vulnerabilities?

Cyberattackers love the path of least resistance. That means going where defenders aren’t looking. And for resource–strapped vulnerability management teams dealing with thousands of vulnerabilities in their systems, new vulnerabilities announced every day and inadequate methods to accurately prioritize their remediation, old vulnerabilities often fall to the bottom of the to–do list. That’s where attackers find their opportunity.

The same vulnerability management issues are also seem to feed another attacker trend: exploiting vulnerabilities with mid–level CVSS scores. Attackers suspect most organizations are focusing on vulnerabilities with critical scores, so those get patched quickly while the rest may never be addressed.

Publicly Disclosed Vulnerabilities

Exploited Vulnerabilities by CVSS Score | Source: Adopted from IBM X-Force/Analysis by Gartner Research (September 2016)

Another perception problem exists in many security programs that somehow vulnerabilities or their exploits go stale. But, in fact, may old exploits are recycled and reused often with only slight modifications. Hackers are constantly tinkering with old, proven exploits and repurposing them for new uses.

Worms are the New Black

The recent WannaCry attack was an example of a “ransomworm,” breathing new life into network worms after so long out at sea.

What’s brought these back in fashion? Again, attackers love the easy button. This is especially true in the era of distributed cybercrime of which ransomware is a key element. Attackers want to reach as many targets as possible to maximize their ROI. They’re buying (or renting) widely available attack tools and services on the dark web, and can launch a sophisticated attack with minimal skill or intervention.

The unholy union of ransomware and worms fits perfectly into this model because it allows the payload to be distributed to even more targets. Ransomworms are taking advantage of network connectivity and using it for its own purposes. Defending against this type of threat always comes back to the old stalwarts of good cyber hygiene — effective vulnerability management, proper segmentation and limiting access as much as possible.

Both of these trends — exploiting old vulnerabilities or dressing up old TTPs in new clothes — demonstrate the importance of keeping up with the current threat landscape. Up–t0–date threat intelligence of what exploits are being used in the wild, what exploits are publicly available and what vulnerabilities are being packaged in ransomware and other attack tools is vital to securing your organization.