Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

04:19 PM
Connect Directly

Attackers Took 5 Minutes to Start Scanning for Exchange Server Flaws

Research underscores the acceleration of attack activity and points to a growing concern that defenders can't keep pace.

Criminals began to scan the Internet for vulnerable Microsoft Exchange Servers within five minutes of the disclosure of critical zero-day flaws patched in early March, researchers report.

Related Content:

Microsoft Exchange Server Attacks: 9 Lessons

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How to Get Employees to Care About Security

In the "2021 Cortex Xpanse Attack Surface Threat Report, " Palo Alto Networks researchers examine threat data from 50 organizations, and some 50 million IP addresses, collected in the first quarter. Their analysis reveals attackers scan to inventory vulnerable Internet assets once per hour and even more often — within 15 minutes or less — following the disclosure of CVEs.

"When an exploit is published, the time from then until when we start to see follow-on scanning spike in volume is now just minutes," says Tim Junio, senior vice president of products for Cortex at Palo Alto Networks. "That is a huge change from a few years ago."

Within five minutes of Microsoft's disclosure of the Exchange Server vulnerabilities, Junio says people from around the world were scanning for exposed servers. There are several factors working in attackers' favor, such as cost: The report notes criminals would only need about $10 to rent the cloud computing power they need for an "imprecise scan" for vulnerable systems.

The ease of scanning for vulnerable systems has also driven an increase in both analysts and criminals who scan for vulnerabilities and infrastructure. To identify new victims, scanners need only a target, usually a list of IPs or a particular flaw, researchers note. Junio acknowledges some of these scans could be legitimate security researchers, though likely not all of them. In the past five years, attackers have perfected techniques that scale at speed, the report states.

Organizations' comparatively slow response also gives them an edge. Global enterprises need an average of 12 hours to detect vulnerable systems, researchers report, and this assumes businesses know about all assets on their network. The fastest ones patched vulnerable Exchange Servers within days, Junio notes, but many large businesses took weeks to do it.

"That is actually really hard to do if you don't have an up-to-date inventory of everything that's running on your network," he says, adding that many organizations don't have a complete list.

Junio believes attackers' quick response to the Exchange Server flaws is not a one-off event but part of a growing trend. As researchers were analyzing data for this report, they noticed scans begin within 15 minutes of disclosures for flaws in other Internet-facing products, he says.

Although these disclosures were all fairly recent, Junio warns attackers take advantage of old flaws as they know some companies won't patch. He uses Conficker, a threat first spotted in 2008, as an example of one that continues to be detected on target machines. The worm propagates through removable media, network drives, and targeting CVE-2008-4250, a vulnerability in the Server service in legacy Windows versions like Windows 2000, Server 2002, and Server 2008.

"If you get into an environment, you want to try all of these old options because there's a really good chance that some of them will still work," he says. "For that to be cleaned up effectively, you have to have really good network segmentation and defense in depth, and you need to have a great patch management program." All of these make an "extremely complicated mosaic of what is enterprise IT."

Researchers found global enterprises encountered new serious vulnerabilities every 12 hours. These included insecure remote access via RDP, Telnet, SNMP, VNC, and others; database servers; and exposure to zero-day flaws in products such as Exchange Server. This doesn't mean every issue is going to become a serious breach, Junio says, but it does mean there are windows for a scanning attacker to find their way in.

RDP Continues to Put Businesses At Risk

Remote Desktop Protocol (RDP), which has spiked in usage over the past year, made up 32% of security issues researchers examined. Analysis revealed frequent scanning for port 3389 — reserved for RDP — and Palo Alto Networks' Unit 42 response team has observed this scanning is often followed by brute-forcing credentials or basic credential hacking tools.

"The severity of what could happen if you have a compromised RDP host is a pretty wide range," Junio says. A compromised host could become part of a botnet, for example, or if an attacker specifically targets one host, it could be an entry point for further escalation or ransomware. Researchers note RDP is among the most common gateways for ransomware.

It's common to see organizations with a policy stating RDP should not be on the public Internet, but it is. Sometimes this happens because employee's devices are not properly configured, he adds. In other cases, it's tough to differentiate what is private and public from the vantage point of someone in DevOps working on cloud infrastructure.

"It's not as easy as, 'these are Internet-facing and these are private,'" he explains. "Software products are not really designed that way." RDP may be permitted for Internet applications, and organizations may not be aware they're actually public-facing.

Researchers advise organizations to create a system of record to track all assets, systems, and services they own that are on the public Internet, including across major cloud service providers and commercial and residential ISP space. They also recommend using a full protocol handshake to verify details about a specific service running at a given IP address.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-18
Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a denial of service via the return value "zzip_file_read" in the function "unzzip_cat_file".
PUBLISHED: 2021-06-18
Secure 8 (Evalos) does not validate user input data correctly, allowing a remote attacker to perform a Blind SQL Injection. An attacker could exploit this vulnerability in order to extract information of users and administrator accounts stored in the database.
PUBLISHED: 2021-06-18
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
PUBLISHED: 2021-06-18
Advantech WebAccess/SCADA Versions 9.0.1 and prior is vulnerable to a directory traversal, which may allow an attacker to remotely read arbitrary files on the file system.
PUBLISHED: 2021-06-18
Advantech WebAccess/SCADA Versions 9.0.1 and prior is vulnerable to redirection, which may allow an attacker to send a maliciously crafted URL that could result in redirecting a user to a malicious webpage.