The more things change, the more they appear to remain the same — at least as far as some enterprise cybersecurity practices go.
A new analysis of data from security incidents that Kaspersky responded to in 2020 shows 63% resulted from poor patching and password management practices.
Though newly discovered vulnerabilities tend to attract a lot of attention and concern, Kaspersky found only a relatively small proportion of incidents it investigated last year involved vulnerabilities discovered in 2020. In most other instances, attackers used older vulnerabilities, including at least one from 2017, that enterprise organizations should have patched long ago.
Adversaries act as businesses: They pay attention to the costs and know the most cost-efficient attacks are those that target low-hanging, easily accessible security issues, says Gleb Gritsai, head of security services at Kaspersky. "A lot of victims happen to be aware of existing security issues — [such as] lack of security patches and bad passwords — or suspicious behavior that was not properly investigated," he says. "Did they need expensive and stellar security solutions, and complex security controls to prevent or detect incidents? No, just security basics to minimize attack surface," Gritsai says.
Kaspersky's analysis shows brute-force attacks on enterprise systems surged from 13% of all incidents in 2019 to 31.6% of incidents the security vendor investigated last year. Brute-force attacks involve the use of automated trial and error methods to crack passwords. While they rarely work — or take a lot of time — with strong passwords, attackers have used the technique successfully for years to crack weak and commonly used passwords.
Kaspersky described the surge in brute-force attacks as likely tied to the shift to a more distributed and hybrid work environment since the global COVID-19 pandemic began. Gritsai says the increase in remote work led to a loosening of security controls for publicly available systems as organizations sidetracked security for the sake of business operations. This presented attackers with more systems protected with password-based authentication that they could target with brute-force attacks.
In theory, at least, brute-force attacks are supposedly easy to detect. "All security solutions are packed with base detection rules for brute-force attack, and it should be easy to spot a critical alert in a console," Gritsai says. But issues with the visibility of activity in infrastructure or lack of staff to monitor security alerts often can result in brute-force attacks going mostly undetected until the impact is felt.
Exploits against systems with unpatched vulnerabilities were the second most common initial attack vector in 2020. Kaspersky's research showed 31.5% of the incidents it investigated involved vulnerability exploitation. The most exploited vulnerabilities were older ones, most notably CVE-2017-0144, the infamous Windows SMB remote code execution (RCE) vulnerability associated with the NSA's leaked EternalBlue exploit. The vulnerability and exploit were used in the worldwide WannaCry ransomware attacks in May 2017 and numerous other attacks. Most recently, Guardicore reported the vulnerability being abused to spread an SMB worm called "Indexsinas" on systems belonging to organizations in the Asia-Pacific region and North America.
Other older vulnerabilities that Kaspersky observed attackers exploiting frequently include CVE-2018-8453 and CVE-2019-11510. The former is a privilege escalation bug that Microsoft patched in October 2018 and has been exploited in various campaigns, including those involving the Sodinokibi ransomware family. CVE-2019-1150, meanwhile, is an remotely executable flaw in Pulse Connect Secure VPN devices that has been widely abused in numerous ransomware and other attacks and was the subject of a DHS advisory as recently as this April. Among the newer flaws that were widely exploited was CVE-2020-0796, a 2020 flaw in Microsoft Server Message Block 3.1.1, that once again was the subject of a DHS advisory because of the risk it presented to organizations.
"The most common vulnerabilities exploited [were] CVE-2019-11510 and CVE-2020-0796," Gritsai notes. "Software that is usually available in public with stable exploits leading to privileged access preferably integrated in Active Directory domain" are attractive targets for attacks. That's because compromising such flaws give attackers one-step access to a corporate network.
According to Kaspersky, results from its analysis showed that organizations can reduce the risk of security incidents by 30% simply by implementing an appropriate patch management policy and by up to 60% by having a robust password policy.