Researchers report that within five minutes after the critical zero-day vulnerability was patched in early March, criminals began scanning the Internet for vulnerable Microsoft Exchange Server.
In the “2021 Cortex Xpanse Attack Surface Threat Report,” Palo Alto Networks researchers examined threat data collected in the first quarter from 50 organizations and approximately 50 million IP addresses. Their analysis shows that attackers scan the list of vulnerable Internet assets once an hour after the vulnerability is disclosed, or even within 15 minutes or less.
Tim Junio, senior vice president of Cortex products at Palo Alto Networks, said: “When the vulnerability was released, the time from then until we started to see a surge in subsequent scans is now only a few minutes.” “Compared to a few years ago, this It’s a huge change.”
Junio said that within five minutes of Microsoft’s disclosure of the Exchange Server vulnerabilities, people from all over the world were scanning exposed servers. There are several factors that are beneficial to attackers, such as cost: The report states that criminals only need about $10 to rent the cloud computing power they need to perform “inaccurate scans” of cloud computing systems.
The ease of scanning vulnerable systems has also prompted an increase in the number of analysts and criminals scanning for vulnerabilities and infrastructure. The researchers pointed out that in order to identify new victims, the scanner only needs one target, usually an IP list or a specific vulnerability. Junio acknowledged that some of these scans may be legitimate security researchers, although they may not be all. The report points out that in the past five years, attackers have perfected technologies that can be rapidly expanded.
The organization’s relatively slow response also gives them an advantage. Researchers report that it takes an average of 12 hours for global companies to detect vulnerable systems, and this assumes that companies understand all the assets on their network. Junio pointed out that the fastest server can patch a vulnerable Exchange server within a few days, but many large enterprises took weeks to complete it.
He said: “If you don’t have an up-to-date list of everything running on the web, it’s actually very difficult to do.” He added that many organizations don’t have a complete list.
Junio believes that the attacker’s rapid response to Exchange Server vulnerabilities is not a one-off incident, but is part of a growing trend. He said that when the researchers analyzed the data in the report, they noticed that the scan started within 15 minutes of disclosing defects in other Internet-facing products.
Although these disclosures were only recently released, Junio warned attackers to take advantage of old vulnerabilities because they knew that certain companies would not patch them. He uses Conficker (a threat that was first discovered in 2008) as an example, which continues to be discovered on the target computer. The worm spreads through removable media, network drives, and targets CVE-2008-4250. CVE-2008-4250 is a vulnerability in the Server service in old Windows versions such as Windows 2000, Server 2002 and Server 2008.
He said: “If you enter the environment, you have to try all these old options, because there is indeed a big chance that you can still use them.” “In order to clean up effectively, you must have very good network segmentation and defense-in-depth capabilities. And you need to have an excellent patch management program.” All of these constitute “the extremely complex mosaic of what enterprise IT is.”
Researchers have found that global companies encounter new serious vulnerabilities every 12 hours. These include insecure remote access through RDP, Telnet, SNMP, VNC, etc.; database servers; and exposure to zero-day vulnerabilities in products such as Exchange Server. Junio said that this does not mean that every problem will become a serious vulnerability, but it does mean that scanning attackers can find a solution.
RDP continues to put the business at risk
In the past year, the use of Remote Desktop Protocol (RDP) has exploded, accounting for 32% of the security issues studied by researchers. Analysis shows that port 3389 (reserved for RDP) is frequently scanned, and Palo Alto Networks’ Unit 42 response team observed that this scan is usually accompanied by brute force cracking of credentials or basic credential hacking tools.
Junio said: “If you have a compromised RDP host, the severity of what can happen is wide.” For example, the infected host may become part of a botnet, or if the attacker specifically targets a host, it may be Entrance to further upgrades or ransomware. Researchers pointed out that RDP is one of the most common gateways for ransomware.
A common situation is that an organization with a policy stipulating that the organization RDP should not be on the public Internet, but should be on the public Internet. He added that sometimes this happens because the employee’s equipment is configured incorrectly. In other cases, it is difficult to distinguish the people working on cloud infrastructure in DevOps from private and public things.
He explained: “It’s not as easy as’these are Internet-facing, and these are proprietary,’.” “Software products are not really designed that way.” RDP may be allowed for Internet applications and organized It may not be known that they are actually open to the public.
The researchers recommend that organizations create a system of record to track all assets, systems, and services they own on the public Internet, including across major cloud service providers and commercial and residential ISP spaces. They also recommend using a full protocol handshake to verify details about specific services running on a given IP address.
Kelly Sheridan (Kelly Sheridan) is a contributing editor of “Dark Reading”, focusing on cybersecurity news and analysis. She is a business technology news reporter. She previously reported on her in InformationWeek, where she reported on Microsoft, and reported on finance and economics in Insurance&Technology.