Predicting Vulnerabilities Used by State-Sponsored Hackers


On October 20th, the National Security Agency (NSA) released an advisory listing 25 vulnerabilities used by Chinese state-sponsored malicious hackers in attacks.  The advisory was issued because, according to NSA Cybersecurity Director Anne Neuberger, “We hear loud and clear that it can be hard to prioritize patching and mitigation efforts.” 

HubSpot Video

The prioritization of software vulnerabilities is a well-known challenge in cybersecurity.  A 2019 study by the Ponemon institute cited that 77% of firms lack sufficient patching resources to resolve vulnerabilities while Heimdel security found that 80% of breaches and audit failures could have been avoided by applying a patch.  However, with over 200 new software vulnerabilities disclosed each week, defenders face an uphill climb.  Hence, the NSA felt compelled to issue the warning. 

However, hackers - even ones operating from state-sponsored organizations - often develop exploits based on shared community knowledge.  Sources like the darkweb, social media, and exploit repositories can provide ample data to build the tools to be used in attacks. 

Using the CYR3CON platform, we reviewed the intelligence relating to the vulnerabilities.  Further, we also examined the CyRating score, a numerical value to that provides how likely the vulnerabilities are to be exploited.  It turns out that intelligence was available on all vulnerabilities discussed by July of 2020 – well in advance of the NSA report.  Additional intelligence was also collected on the vulnerabilities – providing information as recent as earlier this month.  This is hardly surprising as among the listed vulnerabilities included were recent well-known vulnerabilities like Zerologon (CVE-2020-1472) and the Pulse Secure VPN vulnerability (CVE-2019-11510). 


The chart below shows the time-spread of the intelligence by vulnerability. 

state sponsored hacker chart

Time difference on intelligence collected on each vulnerability – first and last seen.

It's one thing to collect intelligence, but this begs the question, “Was the intelligence useful in predicting that hackers would use it in an exploit?” CYR3CON provides a CyRating score which is computed using an ensemble of supervised machine learning models.  CyRating is a risk measurement that reflects the current real-world threat to vulnerabilities. The CyRating Score is scaled from 1.00 to 38.46 to reflect the relative likelihood of exploitation. A vulnerability with a CyRating of 10.00 is 10 times more likely to be exploited than a vulnerability with a CyRating of 1.00.  At the high end, the CyRating expresses near-certainty of exploitation, while a score of 1.0 expresses the vulnerability is no more likely to be exploited than average. 

The results of the prediction by CyRating are shown below.  It is interesting to note that automatically collected intelligence, along with machine learning driven analysis, predicts nearly all the exploits ahead of the NSA’s advisory.  With one exception, all vulnerabilities were predicted to be exploited significantly above average exploitability. 

chart 1


Predicted exploits as determined by machine learning

This contrasts sharply with the current state-of-the art used in standard risk assessment – the CVSS system provided by the National Institute of Standards. 

Using this standard scoring methodology, ten of the vulnerabilities are categorized as no more important than 59% of vulnerabilities (in the category of “High”).  This poses a significant challenge to security teams.  It is no wonder the Director described this process as “hard to prioritize patching and mitigation efforts.” 

chart 2


Summary of CVSS (v3) ratings of vulnerabilities.


One final note of interest, four of the vulnerabilities listed in the NSA advisory were “old” – meaning they had CVE numbers prior to 2019.  All four of these vulnerabilities carried the highest CyRating, and despite being older, had intelligence dating from at least a year ago.  Three of the four had intelligence from the summer of 2020.  We previously wrote about the use of old vulnerabilities by hackers – a technique we refer to as “re-exploitation.” 


If you wish to read the NSA’s advisory, visit this link: 

The NSA’s press release is also available here: