Threat actors scan for vulnerable systems on the public web every hour in a race with enterprises to identify vulnerabilities on their networks that they can exploit, new data from Palo Alto show.
The researchers have seen that when a critical vulnerability is discovered, threat actors start new internet scans within minutes from the discovery.
Attackers try to identify vulnerabilities in systems before they are patched, and companies want to identify issues on their networks before an attack, they move at a much lower rate.
Between January and March this year, Palo Alto Networks Cortex Xpanse research team monitored internet scans from 50 million IP addresses of 50 global enterprises, some of them in Fortune 500.
The results are not surprising, nevertheless, disturbing. Companies need an average of 12 hours to find a serious vulnerability, while attackers try to exploit it within an hour, and sometimes within minutes.
A third of identified issues related to the Remote Desktop Protocol, a popular target for ransomware actors. Other high-priority flaws were zero-day vulnerabilities in critical products, misconfigured database servers, and insecure remote access.
Attackers increased the frequency of scans to 15 minutes when there was news about a critical bug in a networking device. In the case of the ProxyLogon bugs in Microsoft Exchange Server and Outlook Web Access (OWA) issues the rate dropped to five minutes.
To limit the attack surface, Palo Alto Networks recommends security teams check against the following list which is based on two principles: what should not be exposed to the public web and secure assets become vulnerable over time.
- Remote access services (e.g., RDP, VNC, TeamViewer)
- Unpatched systems vulnerable to public exploit and end-of-life (EOL) systems
- Insecure file-sharing/exchange services (e.g., SMB, NetBIOS)
- Unencrypted logins and text protocols (e.g., Telnet, SMTP, FTP)
- IT admin system portals 5. Sensitive business operation applications (e.g., Jenkins, Grafana, Tableau)
- Weak and insecure/deprecated crypto
- Directly exposed Internet of Things (IoT) devices
- Exposed development infrastructure
- Insecure or abandoned marketing portals (which tend to run on Adobe Flash)
Palo Alto explains this lag in identifying the risks by a faulty vulnerability management process in which enterprise security teams rely on a database of known vulnerabilities which doesn’t have data about new issues until the database receives an update.
“Typically, discovery of assets happens just once per quarter and uses a patchwork of scripts and programs the pen-testers have put together to find some of the infrastructure that is potentially vulnerable. Their methods are rarely comprehensive, however, and regularly fail to find all vulnerable infrastructure of a given organization,” Palo Alto Networks said.
Whereas, threat actors take advantage of the cheap cloud computing power to run frequent internet-wide scans.