Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

End of Bibblio RCM includes -->
04:19 PM
Connect Directly

Attackers Took 5 Minutes to Start Scanning for Exchange Server Flaws

Research underscores the acceleration of attack activity and points to a growing concern that defenders can't keep pace.

Criminals began to scan the Internet for vulnerable Microsoft Exchange Servers within five minutes of the disclosure of critical zero-day flaws patched in early March, researchers report.

Related Content:

Microsoft Exchange Server Attacks: 9 Lessons

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How to Get Employees to Care About Security

In the "2021 Cortex Xpanse Attack Surface Threat Report, " Palo Alto Networks researchers examine threat data from 50 organizations, and some 50 million IP addresses, collected in the first quarter. Their analysis reveals attackers scan to inventory vulnerable Internet assets once per hour and even more often — within 15 minutes or less — following the disclosure of CVEs.

"When an exploit is published, the time from then until when we start to see follow-on scanning spike in volume is now just minutes," says Tim Junio, senior vice president of products for Cortex at Palo Alto Networks. "That is a huge change from a few years ago."

Within five minutes of Microsoft's disclosure of the Exchange Server vulnerabilities, Junio says people from around the world were scanning for exposed servers. There are several factors working in attackers' favor, such as cost: The report notes criminals would only need about $10 to rent the cloud computing power they need for an "imprecise scan" for vulnerable systems.

The ease of scanning for vulnerable systems has also driven an increase in both analysts and criminals who scan for vulnerabilities and infrastructure. To identify new victims, scanners need only a target, usually a list of IPs or a particular flaw, researchers note. Junio acknowledges some of these scans could be legitimate security researchers, though likely not all of them. In the past five years, attackers have perfected techniques that scale at speed, the report states.

Organizations' comparatively slow response also gives them an edge. Global enterprises need an average of 12 hours to detect vulnerable systems, researchers report, and this assumes businesses know about all assets on their network. The fastest ones patched vulnerable Exchange Servers within days, Junio notes, but many large businesses took weeks to do it.

"That is actually really hard to do if you don't have an up-to-date inventory of everything that's running on your network," he says, adding that many organizations don't have a complete list.

Junio believes attackers' quick response to the Exchange Server flaws is not a one-off event but part of a growing trend. As researchers were analyzing data for this report, they noticed scans begin within 15 minutes of disclosures for flaws in other Internet-facing products, he says.

Although these disclosures were all fairly recent, Junio warns attackers take advantage of old flaws as they know some companies won't patch. He uses Conficker, a threat first spotted in 2008, as an example of one that continues to be detected on target machines. The worm propagates through removable media, network drives, and targeting CVE-2008-4250, a vulnerability in the Server service in legacy Windows versions like Windows 2000, Server 2002, and Server 2008.

"If you get into an environment, you want to try all of these old options because there's a really good chance that some of them will still work," he says. "For that to be cleaned up effectively, you have to have really good network segmentation and defense in depth, and you need to have a great patch management program." All of these make an "extremely complicated mosaic of what is enterprise IT."

Researchers found global enterprises encountered new serious vulnerabilities every 12 hours. These included insecure remote access via RDP, Telnet, SNMP, VNC, and others; database servers; and exposure to zero-day flaws in products such as Exchange Server. This doesn't mean every issue is going to become a serious breach, Junio says, but it does mean there are windows for a scanning attacker to find their way in.

RDP Continues to Put Businesses At Risk

Remote Desktop Protocol (RDP), which has spiked in usage over the past year, made up 32% of security issues researchers examined. Analysis revealed frequent scanning for port 3389 — reserved for RDP — and Palo Alto Networks' Unit 42 response team has observed this scanning is often followed by brute-forcing credentials or basic credential hacking tools.

"The severity of what could happen if you have a compromised RDP host is a pretty wide range," Junio says. A compromised host could become part of a botnet, for example, or if an attacker specifically targets one host, it could be an entry point for further escalation or ransomware. Researchers note RDP is among the most common gateways for ransomware.

It's common to see organizations with a policy stating RDP should not be on the public Internet, but it is. Sometimes this happens because employee's devices are not properly configured, he adds. In other cases, it's tough to differentiate what is private and public from the vantage point of someone in DevOps working on cloud infrastructure.

"It's not as easy as, 'these are Internet-facing and these are private,'" he explains. "Software products are not really designed that way." RDP may be permitted for Internet applications, and organizations may not be aware they're actually public-facing.

Researchers advise organizations to create a system of record to track all assets, systems, and services they own that are on the public Internet, including across major cloud service providers and commercial and residential ISP space. They also recommend using a full protocol handshake to verify details about a specific service running at a given IP address.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file