“Vulnerabilities that are known to work are a good first bet for a threat actor to try. Attackers are using them because they’re still working.”

Bombarding SMBs with exploits for possibly unpatched flaws was simply the easiest way to find the laggards among organizations whose patching routines are not always rigorous.

The bigger question, then, might be why organizations fail to patch. A noticeable feature of the vulnerabilities is their age. Three are from 2021, one is from 2018, and the final, Heartbleed, was made public as long ago as April 2014.

Given that four of the five were also rated ‘critical’ or ‘high’, in theory they should have been patched as a priority some time ago. According to McKee, an important feature of the top five vulnerabilities was their ubiquity. “All five are on widely used products. Attackers are willing to put the time in for vulnerabilities that are going to provide them with a pay-off for more than one victim,” he said.

The everywhere flaw

A characteristic that gives any flaw longevity among attackers is how difficult it is to patch. In Log4j’s case, this was underlined by an unusual feature. When McKee studied the telemetry, he noticed that it had become steadily more popular among attackers since its discovery in late 2021.

“It’s almost the inverse of what you would expect. With all these patches and mitigations, why has it trended in an upward direction?”