Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

End of Bibblio RCM includes -->
5/19/2021
04:19 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail

Attackers Took 5 Minutes to Start Scanning for Exchange Server Flaws

Research underscores the acceleration of attack activity and points to a growing concern that defenders can't keep pace.

Criminals began to scan the Internet for vulnerable Microsoft Exchange Servers within five minutes of the disclosure of critical zero-day flaws patched in early March, researchers report.

Related Content:

Microsoft Exchange Server Attacks: 9 Lessons

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How to Get Employees to Care About Security

In the "2021 Cortex Xpanse Attack Surface Threat Report, " Palo Alto Networks researchers examine threat data from 50 organizations, and some 50 million IP addresses, collected in the first quarter. Their analysis reveals attackers scan to inventory vulnerable Internet assets once per hour and even more often — within 15 minutes or less — following the disclosure of CVEs.

"When an exploit is published, the time from then until when we start to see follow-on scanning spike in volume is now just minutes," says Tim Junio, senior vice president of products for Cortex at Palo Alto Networks. "That is a huge change from a few years ago."

Within five minutes of Microsoft's disclosure of the Exchange Server vulnerabilities, Junio says people from around the world were scanning for exposed servers. There are several factors working in attackers' favor, such as cost: The report notes criminals would only need about $10 to rent the cloud computing power they need for an "imprecise scan" for vulnerable systems.

The ease of scanning for vulnerable systems has also driven an increase in both analysts and criminals who scan for vulnerabilities and infrastructure. To identify new victims, scanners need only a target, usually a list of IPs or a particular flaw, researchers note. Junio acknowledges some of these scans could be legitimate security researchers, though likely not all of them. In the past five years, attackers have perfected techniques that scale at speed, the report states.

Organizations' comparatively slow response also gives them an edge. Global enterprises need an average of 12 hours to detect vulnerable systems, researchers report, and this assumes businesses know about all assets on their network. The fastest ones patched vulnerable Exchange Servers within days, Junio notes, but many large businesses took weeks to do it.

"That is actually really hard to do if you don't have an up-to-date inventory of everything that's running on your network," he says, adding that many organizations don't have a complete list.

Junio believes attackers' quick response to the Exchange Server flaws is not a one-off event but part of a growing trend. As researchers were analyzing data for this report, they noticed scans begin within 15 minutes of disclosures for flaws in other Internet-facing products, he says.

Although these disclosures were all fairly recent, Junio warns attackers take advantage of old flaws as they know some companies won't patch. He uses Conficker, a threat first spotted in 2008, as an example of one that continues to be detected on target machines. The worm propagates through removable media, network drives, and targeting CVE-2008-4250, a vulnerability in the Server service in legacy Windows versions like Windows 2000, Server 2002, and Server 2008.

"If you get into an environment, you want to try all of these old options because there's a really good chance that some of them will still work," he says. "For that to be cleaned up effectively, you have to have really good network segmentation and defense in depth, and you need to have a great patch management program." All of these make an "extremely complicated mosaic of what is enterprise IT."

Researchers found global enterprises encountered new serious vulnerabilities every 12 hours. These included insecure remote access via RDP, Telnet, SNMP, VNC, and others; database servers; and exposure to zero-day flaws in products such as Exchange Server. This doesn't mean every issue is going to become a serious breach, Junio says, but it does mean there are windows for a scanning attacker to find their way in.

RDP Continues to Put Businesses At Risk

Remote Desktop Protocol (RDP), which has spiked in usage over the past year, made up 32% of security issues researchers examined. Analysis revealed frequent scanning for port 3389 — reserved for RDP — and Palo Alto Networks' Unit 42 response team has observed this scanning is often followed by brute-forcing credentials or basic credential hacking tools.

"The severity of what could happen if you have a compromised RDP host is a pretty wide range," Junio says. A compromised host could become part of a botnet, for example, or if an attacker specifically targets one host, it could be an entry point for further escalation or ransomware. Researchers note RDP is among the most common gateways for ransomware.

It's common to see organizations with a policy stating RDP should not be on the public Internet, but it is. Sometimes this happens because employee's devices are not properly configured, he adds. In other cases, it's tough to differentiate what is private and public from the vantage point of someone in DevOps working on cloud infrastructure.

"It's not as easy as, 'these are Internet-facing and these are private,'" he explains. "Software products are not really designed that way." RDP may be permitted for Internet applications, and organizations may not be aware they're actually public-facing.

Researchers advise organizations to create a system of record to track all assets, systems, and services they own that are on the public Internet, including across major cloud service providers and commercial and residential ISP space. They also recommend using a full protocol handshake to verify details about a specific service running at a given IP address.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
//Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Machine Learning, AI & Deep Learning Improve Cybersecurity
Machine intelligence is influencing all aspects of cybersecurity. Organizations are implementing AI-based security to analyze event data using ML models that identify attack patterns and increase automation. Before security teams can take advantage of AI and ML tools, they need to know what is possible. This report covers: -How to assess the vendor's AI/ML claims -Defining success criteria for AI/ML implementations -Challenges when implementing AI
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-39035
PUBLISHED: 2022-09-28
Smart eVision has insufficient filtering for special characters in the POST Data parameter in the specific function. An unauthenticated remote attacker can inject JavaScript to perform XSS (Stored Cross-Site Scripting) attack.
CVE-2022-39053
PUBLISHED: 2022-09-28
Heimavista Rpage has insufficient filtering for platform web URL. An unauthenticated remote attacker can inject JavaScript and perform XSS (Reflected Cross-Site Scripting) attack.
CVE-2022-39054
PUBLISHED: 2022-09-28
Cowell enterprise travel management system has insufficient filtering for special characters within web URL. An unauthenticated remote attacker can inject JavaScript and perform XSS (Reflected Cross-Site Scripting) attack.
CVE-2022-39029
PUBLISHED: 2022-09-28
Smart eVision has inadequate authorization for the database query function. A remote attacker with general user privilege, who is not explicitly authorized to access the information, can access sensitive information.
CVE-2022-39030
PUBLISHED: 2022-09-28
smart eVision has inadequate authorization for system information query function. An unauthenticated remote attacker, who is not explicitly authorized to access the information, can access sensitive information.