Hackers Scan for Vulnerable Systems Minutes After Bug Discovery, Outpacing Enterprises

Hackers Scan for Vulnerable Systems Minutes After Bug Discovery, Outpacing Enterprises

Threat actors scan for vulnerable systems on the public web every hour in a race with enterprises to identify vulnerabilities on their networks that they can exploit, new data from Palo Alto show.

The researchers have seen that when a critical vulnerability is discovered, threat actors start new internet scans within minutes from the discovery.

Attackers try to identify vulnerabilities in systems before they are patched, and companies want to identify issues on their networks before an attack, they move at a much lower rate.

Between January and March this year, Palo Alto Networks Cortex Xpanse research team monitored internet scans from 50 million IP addresses of 50 global enterprises, some of them in Fortune 500.

The results are not surprising, nevertheless, disturbing. Companies need an average of 12 hours to find a serious vulnerability, while attackers try to exploit it within an hour, and sometimes within minutes.

A third of identified issues related to the Remote Desktop Protocol, a popular target for ransomware actors. Other high-priority flaws were zero-day vulnerabilities in critical products, misconfigured database servers, and insecure remote access.

Attackers increased the frequency of scans to 15 minutes when there was news about a critical bug in a networking device. In the case of the ProxyLogon bugs in Microsoft Exchange Server and Outlook Web Access (OWA) issues the rate dropped to five minutes.

To limit the attack surface, Palo Alto Networks recommends security teams check against the following list which is based on two principles: what should not be exposed to the public web and secure assets become vulnerable over time.

  1. Remote access services (e.g., RDP, VNC, TeamViewer)
  2. Unpatched systems vulnerable to public exploit and end-of-life (EOL) systems
  3. Insecure file-sharing/exchange services (e.g., SMB, NetBIOS)
  4. Unencrypted logins and text protocols (e.g., Telnet, SMTP, FTP)
  5. IT admin system portals 5. Sensitive business operation applications (e.g., Jenkins, Grafana, Tableau)
  6. Weak and insecure/deprecated crypto
  7. Directly exposed Internet of Things (IoT) devices
  8. Exposed development infrastructure
  9. Insecure or abandoned marketing portals (which tend to run on Adobe Flash)

Palo Alto explains this lag in identifying the risks by a faulty vulnerability management process in which enterprise security teams rely on a database of known vulnerabilities which doesn’t have data about new issues until the database receives an update.

“Typically, discovery of assets happens just once per quarter and uses a patchwork of scripts and programs the pen-testers have put together to find some of the infrastructure that is potentially vulnerable. Their methods are rarely comprehensive, however, and regularly fail to find all vulnerable infrastructure of a given organization,” Palo Alto Networks said.

Whereas, threat actors take advantage of the cheap cloud computing power to run frequent internet-wide scans.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.