In a year bookended by the late-2020 SolarWinds supply chain attack and the widespread Log4j vulnerability, security teams have consistently juggled and prioritized an ongoing wave of threats. And between those, they have a monthly Patch Tuesday update to contend with.
While Microsoft patched fewer vulnerabilities in 2021 than in 2020, the company fixed 883 bugs in 2021, says Aanchal Gupta, vice president of the Microsoft Security Response Center. Some of these resulted in widespread exploitation; some merited greater attention, and as a group, many reflect trends and patterns that security teams should note in the year ahead.
Among the most memorable vulnerabilities, disclosed and patched in March 2021, were those existing in on-premises versions of Microsoft Exchange Server. At the time it reported the vulnerabilities, Microsoft said these were used in "limited and targeted" attacks conducted by a group called Hafnium, which officials said is state-sponsored and operates out of China.
It didn't take long for the security community to report there were likely multiple threat groups behind a wave of malicious activity targeting Exchange Servers. What had been "low and slow" activity quickly escalated into a lot of noise, with tens of thousands of organizations affected. "That snowballed really quickly," says Kevin Breen, director of cyber-threat research at Immersive Labs, about the Exchange Server attacks. Within weeks of the advanced persistent threat groups exploiting the vulnerabilities, cybercrime groups began to adopt it as well.
In addition to releasing patches, Microsoft at the time produced an additional series of security updates to be applied to some older and unsupported cumulative updates. It was necessary in this case, but Gupta notes "we don't prefer doing" it as it discourages customers from patching.
"Threat actors like Hafnium, they are sophisticated," says Gupta. "They are doing the scans; they are going to go after anyone who is not patching in time."
But patching was tricky for many organizations. Some were running old versions of Exchange Server and didn't have an IT team to patch; some weren't ready to patch. The company released a mitigation tool, which Gupta describes as a script containing five steps businesses could use to protect themselves.
A "Nightmare" for Security Teams
Security teams later learned of PrintNightmare, a remotely exploitable bug affecting all versions of Windows. It exists in the Windows Print Spooler Service, which acts as an interface between the OS and a printer and handles tasks such as loading printer drivers and ordering print jobs. The flaw could enable authenticated attackers to gain system-level access on vulnerable systems — which also include Active Directory admin servers and core domain controllers — and let them run code, download malware, create new user accounts, or view, change, and delete data.
But the PrintNightmare patch had its own issues, notes Dustin Childs, head of communications for Trend Micro's Zero-Day Initiative. "It was not just that the problem was severe and wide-ranging — because it certainly was — but the fixes also had their problems … fix after fix came out."
And because some fixes didn't solve all the problems, it became an ongoing concern. After its initial disclosure of the vulnerability, Microsoft released a new CVE and workarounds for it.
Childs goes back and forth on whether the Exchange Server flaws or PrintNightmare was more severe. Ultimately, he says, the Exchange Server bugs have a broader impact that could last for years to come.
"We still don't know exactly how wide that impact was, and it's very likely there's still a lot of Exchange Servers out there that are unpatched, because it's so difficult to patch Exchange," Childs explains. This is especially true for medium-sized businesses running Exchange Server on-premises: The mentality of "it's still working, don't touch it" exists because employees fear it might break or there may be an issue with the patch.
More Vulns in the Spotlight
While the Exchange Server and PrintNightmare vulnerabilities stood out most, they weren't the only bugs security teams worried about this year. Virsec CTO Satya Gupta pointed to CVE-2021-31166, a remote code execution (RCE) vulnerability in the HTTP Protocol Stack for Microsoft Internet Information Services, as a standout flaw with a CVSS 3.0 score of 9.8 and considered wormable.
Another was CVE-2021-28476, an RCE bug in Hyper-V that allows a guest virtual machine to force the Hyper-V host's kernel to read from an arbitrary and potentially invalid address. "Every Azure box runs with Hyper-V in it," Virsec's Gupta explains. "If there's a vulnerability in Hyper-V, it makes everybody's box become a problem. Everybody's box becomes vulnerable."
Compounding the problem of this flaw was the availability of proof-of-concept code, he notes. This makes for a "really, really nasty" situation because attackers can access the proof of concept before a patch is applied, presenting a greater risk to vulnerable organizations.
Sometimes a vulnerability won't generate much attention when it's first disclosed but becomes a more urgent situation later. Such was the case with CVE-2021-42287, an elevation of privilege vulnerability in Active Directory Domain Services, Immersive Labs' Breen says. This was patched in November and classified as "exploitation less likely" by Microsoft; just last week, proof-of-concept exploit code was published online.
He points to four vulnerabilities in Open Management Infrastructure (OMI), collectively dubbed OMIGOD by the Wiz researchers who found them, as notable bugs in 2021. OMI is a widely used but little-known software agent embedded in many commonly used Azure services, and most organizations using Azure were affected. One was RCE; three were privilege escalation.
Childs points to local privilege escalation as a category of vulnerability that is often overlooked but which merits closer attention from security teams. Many of these have appeared in various Windows components, get wrapped up into malware, and then exploited, he says. While local privilege escalation isn't very exciting on its own, these flaws can become "absolutely effective in taking over someone's system" when they're combined with other vulnerabilities, he adds.
"It's one of those things where we need to make sure we're focusing on finding and fixing the bugs that are getting used, and LPE bugs are getting used by the bad guys, so we need to make sure we take care of those," he says. Even the bugs that aren't critical, or have a lower CVSS score, can pose a threat if an attacker wants to take over a system.
Breen also highlights this trend, noting that privilege escalation vulnerabilities were "a core part" of many attacks that have happened in the past year. Many attackers won't use a RCE flaw, instead opting for social engineering, brute-forcing RDP, or phishing to gain user access.
"Those things are really critical, because you can't always protect against the zero-day RCE but there's a lot you can do to protect users and mitigate privilege escalation attacks," he adds.
An Evolving Challenge for Defenders
There are a few trends in patching that may pose a challenge to security teams in months and years ahead. Childs points to what he calls the "patch gap" as an example: A patch will become available for product A, but other products consuming product A aren't rolling out that patch — at a reasonable rate, or at all, he says.
He points to Google Chrome as an example. "I'm seeing a lot more bugs come through Chrome than we've seen in years past," Childs says. While Chrome has a reputation for being a secure browser, he notes people might overlook the number of products running on Chromium. "How long is it before everything based on Chrome absorbs those patches and then they're protected as well?" he adds. A delay between a Chrome update release and Edge Chromium rolling out an update could pose a risk.
The same issue exists with open source libraries. A library could release an update, but everything that consumes the library may not be updated depending on how closely they're paying attention. The impact of this issue may vary, depending on the products, he says.
"The 'patch gap' has become more prevalent and people are finally starting to understand there are shared resources that aren't being closely monitored," Childs adds. Organizations should monitor the libraries they're importing to be sure updates are consumed, though it is difficult to follow through on everything that needs to be patched.
Which leads to another problem in enterprise security: Many IT and security teams don't know how many patches they need to roll out because of the high volume and range of products they use. There is no centralized location that lists all products and services to be updated; they fear automatic updates will break things; and teams are often underfunded and under pressure.
"The problems of patch management are going to grow even further," Childs says.
Another trend to watch is the increase in attention paid to specific products and services after a bug is released, Breen notes. Once a major bug appears, and especially if it's under attack, the following months will bring additional flaws patched in the same products. "It does draw a focus," he says. Researchers believe if there is one problem, there will probably be more. This happened in the months following the Exchange Server and PrintNightmare vulnerabilities.
While the number of patches released dropped this year, Microsoft's Gupta says there is more work to be done in 2022. The supply chain risk is here to stay, she says, and we will continue to see more and more bugs organizations need to address. Working with partners in the security community has been helpful, and especially through Microsoft's bug bounty program, which Gupta says has paid close to $13 million to $14 million in bug bounties to more than 300 researchers.
Internally, something that has proven valuable is pausing to reflect after incidents to see how things can be improved. Gupta adds: "We are always looking at ways to prevent that issue from happening ever again."