Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

11/2/2020
09:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

As Businesses Go Remote, Hackers Find New Security Gaps

Improper access control, information disclosure, and SSRF are among the most impactful, and most awarded, security flaws found this year.

Organizations are rethinking vulnerability disclosure programs to match a mostly remote staff and increasingly cloud-based infrastructure. As hackers take aim at new targets, they're finding more improper access control, information disclosure, and server-side request forgery flaws.

Related Content:

Vulnerability Disclosure Programs See Signups & Payouts Surge

2020 State of Cybersecurity Operations and Incident Response

The Changing Face of Threat Intelligence

Awards to white-hat hackers for improper access control jumped 134% year over year to reach just over $4 million, HackerOne reports in its new list of most impactful and most-awarded vulnerabilities of 2020. Information disclosure rewards increased 63% to reach $3.52 million. Companies spent nearly $3 million mitigating server-side request forgery (SSRF) this year — a 103% change from the year prior, researchers report.

"We've had quite a few of our programs that have expanded scope to include their remote access infrastructure and freshly migrated cloud applications," says HackerOne co-founder and CTO Alex Rice in an interview with Dark Reading. 

Most organizations with vulnerability disclosure programs focus on their core applications, not the tools their employees use to access them, Rice explains. Remote access infrastructure is historically out of scope for most. "Post-COVID, there's a lot more scrutiny on that," he notes.

Businesses have been forced to quickly move core applications, which previously required employees to use a VPN or be on-premises for access, to cloud environments or remotely accessible environments. Many have authorized hackers to hunt for bugs in things like their VPN infrastructure or zero-trust environments, and researchers are finding their ways around.

The organizations soon learned their enterprise applications that hadn't been "Internet battle-hardened" over the years now provide attackers with multiple routes in, Rice continues.

"If you've opened up more remote access infrastructure, or you made applications remotely accessible that weren't previously remotely accessible, and you haven't done deep security diligence into it, there's probably things you're missing," he adds. 

Improper access and information disclosure vulnerabilities can potentially expose sensitive data such as personally identifiable information. While they range in severity, these types of flaws could cause serious damage, and they're common because they're hard to find with automated tools.

The increase in SSRF vulnerabilities is a trend HackerOne noticed last year but has increased, Rice says. It's a trend somewhat related to the pandemic but more broadly driven by the broad migration to cloud environments.

"These vulnerabilities aren't very exploitable in on-prem or local environments but have massive impacts when redeployed to shared multitenant cloud environments. … We're seeing the impact of them spike pretty dramatically," he says.

As researchers explain in a blog post, SSRF bugs were previously "fairly benign" because they only enabled internal network scanning and sometimes access to internal admin panels. Now, the growth of cloud architecture and unprotected endpoints has made them more critical. 

"Theoretically, those vulnerabilities also always existed, they just weren't remotely accessible … so that is brand-new attack surface that's been exposed to our community and also largely attributed to COVID-19," Rice explains. Many applications that have been moved to the cloud previously would have not been moved to the cloud this quickly, or ever, he points out.

SQL injection, historically one of the most common vulnerability types, has been decreasing year over year, HackerOne reports. Rice attributes the change to modern security methods and frameworks. SQL injection tends to happen when businesses don't monitor which apps are mapped to a database and how they interface. Now, more teams are proactive about this and many public cloud environments are protected by default.

"We're seeing new applications that are being developed … are being developed with this top of mind, both from the people building the applications but also the cloud providers providing modern database frameworks that make it much harder to use these kinds of vulnerabilities," says Rice.

The pandemic has, unfortunately, increased the amount of time it takes organizations to address these bugs once they're discovered. The time to remediate vulnerabilities is 15% to 18% slower than it was in March, Rice points out, noting that security teams are struggling with fewer resources and work-from-home environments. 

These, combined with an increase in vulnerabilities, is slowing down remediation times — a big concern for severe bugs. The median remediation time for critical vulnerabilities had trended down to about 16.5 days in March; now, it's trending back up to 19.6 days, or an 18% increase.

Even companies normally quick to remediate are feeling the effects. The top 25% of HackerOne programs slowed from 4.5 days to remediation in March to 5.2 days in October. The drop, while small, is still meaningful because at that level of performance, point increases are hard to come by. "Those days add up when it's a race," Rice says.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4931
PUBLISHED: 2021-02-24
IBM MQ 9.1 LTS, 9.2 LTS, and 9.1 CD AMQP Channels could allow an authenticated user to cause a denial of service due to an issue processing messages. IBM X-Force ID: 191747.
CVE-2020-11987
PUBLISHED: 2021-02-24
Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
CVE-2020-11988
PUBLISHED: 2021-02-24
Apache XmlGraphics Commons 2.4 is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
CVE-2021-21974
PUBLISHED: 2021-02-24
OpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) has a heap-overflow vulnerability. A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in...
CVE-2021-22667
PUBLISHED: 2021-02-24
BB-ESWGP506-2SFP-T versions 1.01.09 and prior is vulnerable due to the use of hard-coded credentials, which may allow an attacker to gain unauthorized access and permit the execution of arbitrary code on the BB-ESWGP506-2SFP-T (versions 1.01.01 and prior).