Criminals began to scan the Internet for vulnerable Microsoft Exchange Servers within five minutes of the disclosure of critical zero-day flaws patched in early March, researchers report.

In the "2021 Cortex Xpanse Attack Surface Threat Report, " Palo Alto Networks researchers examine threat data from 50 organizations, and some 50 million IP addresses, collected in the first quarter. Their analysis reveals attackers scan to inventory vulnerable Internet assets once per hour and even more often — within 15 minutes or less — following the disclosure of CVEs.

"When an exploit is published, the time from then until when we start to see follow-on scanning spike in volume is now just minutes," says Tim Junio, senior vice president of products for Cortex at Palo Alto Networks. "That is a huge change from a few years ago."

Within five minutes of Microsoft's disclosure of the Exchange Server vulnerabilities, Junio says people from around the world were scanning for exposed servers. There are several factors working in attackers' favor, such as cost: The report notes criminals would only need about $10 to rent the cloud computing power they need for an "imprecise scan" for vulnerable systems.

The ease of scanning for vulnerable systems has also driven an increase in both analysts and criminals who scan for vulnerabilities and infrastructure. To identify new victims, scanners need only a target, usually a list of IPs or a particular flaw, researchers note. Junio acknowledges some of these scans could be legitimate security researchers, though likely not all of them. In the past five years, attackers have perfected techniques that scale at speed, the report states.

Organizations' comparatively slow response also gives them an edge. Global enterprises need an average of 12 hours to detect vulnerable systems, researchers report, and this assumes businesses know about all assets on their network. The fastest ones patched vulnerable Exchange Servers within days, Junio notes, but many large businesses took weeks to do it.

"That is actually really hard to do if you don't have an up-to-date inventory of everything that's running on your network," he says, adding that many organizations don't have a complete list.

Junio believes attackers' quick response to the Exchange Server flaws is not a one-off event but part of a growing trend. As researchers were analyzing data for this report, they noticed scans begin within 15 minutes of disclosures for flaws in other Internet-facing products, he says.

Although these disclosures were all fairly recent, Junio warns attackers take advantage of old flaws as they know some companies won't patch. He uses Conficker, a threat first spotted in 2008, as an example of one that continues to be detected on target machines. The worm propagates through removable media, network drives, and targeting CVE-2008-4250, a vulnerability in the Server service in legacy Windows versions like Windows 2000, Server 2002, and Server 2008.

"If you get into an environment, you want to try all of these old options because there's a really good chance that some of them will still work," he says. "For that to be cleaned up effectively, you have to have really good network segmentation and defense in depth, and you need to have a great patch management program." All of these make an "extremely complicated mosaic of what is enterprise IT."

Researchers found global enterprises encountered new serious vulnerabilities every 12 hours. These included insecure remote access via RDP, Telnet, SNMP, VNC, and others; database servers; and exposure to zero-day flaws in products such as Exchange Server. This doesn't mean every issue is going to become a serious breach, Junio says, but it does mean there are windows for a scanning attacker to find their way in.

RDP Continues to Put Businesses At Risk

Remote Desktop Protocol (RDP), which has spiked in usage over the past year, made up 32% of security issues researchers examined. Analysis revealed frequent scanning for port 3389 — reserved for RDP — and Palo Alto Networks' Unit 42 response team has observed this scanning is often followed by brute-forcing credentials or basic credential hacking tools.

"The severity of what could happen if you have a compromised RDP host is a pretty wide range," Junio says. A compromised host could become part of a botnet, for example, or if an attacker specifically targets one host, it could be an entry point for further escalation or ransomware. Researchers note RDP is among the most common gateways for ransomware.

It's common to see organizations with a policy stating RDP should not be on the public Internet, but it is. Sometimes this happens because employee's devices are not properly configured, he adds. In other cases, it's tough to differentiate what is private and public from the vantage point of someone in DevOps working on cloud infrastructure.

"It's not as easy as, 'these are Internet-facing and these are private,'" he explains. "Software products are not really designed that way." RDP may be permitted for Internet applications, and organizations may not be aware they're actually public-facing.

Researchers advise organizations to create a system of record to track all assets, systems, and services they own that are on the public Internet, including across major cloud service providers and commercial and residential ISP space. They also recommend using a full protocol handshake to verify details about a specific service running at a given IP address.