Examining the relationship between Vulnerability Announcements & the increase in attacks until mitigated

Overview of TIR-20210524

This report discusses the relationship between the time a new vulnerability is announced and the increase in observed attacks against the vulnerability until it can be patched. The public-facing internet attack surface of many businesses has expanded dramatically in recent years due to the decreasing cost of cloud computing and the need to support remote workers due to COVID-19.

Cortex Xpanse was the primary tool used to gather this information.

Tactics, Techniques, and Procedures

Threat actors have access to the same newsfeeds Security personnel monitor to stay appraised of new and ongoing dangers. The key difference is that when threat actors receive news of a newly discovered vulnerability, they do not need to account for the myriad of operational and legal complexities involved with patching a vulnerability. Instead, they race to exploit it.

The recently released Cortex Xpanse Attack Surface Threat Report indicates that malicious vulnerability scans began, on average, within 15 minutes of Common Vulnerabilities and Exposures announcements over three months between January and March. When Microsoft announced the Exchange Server zero-day vulnerabilities on March 2^nd, scans began as quickly as 5 minutes after the announcement.  

Actively scanning for known vulnerabilities is a widely acknowledged reconnaissance technique, and well-resourced threat actors (groups like ATP 28 and the Sandworm Team) can often rely on internal threat researchers who actively search for zero-day vulnerabilities. The difference here is, when a company like Microsoft announces zero-day vulnerabilities, it can take days for an enterprise to implement the proper patches. In contrast, a would-be attacker need only spend enough money (as little as $10 in some cases) to rent sufficiently powerful cloud-computing resources to begin scanning for the announced vulnerabilities.
(For the full range of scanning techniques, refer to the MITRE Mapping link in the Sources section below).

Business Unit Impact

• Unpatched vulnerabilities have an incalculable cost: money paid to attackers who load ransomware into the environment; blackmail against employees and customers who have lost data; revenue lost due to stolen intellectual property; legal advice & representation; incident response & recovery; and loss of reputation.
• Exploited vulnerabilities impact not only targeted enterprises and their c-suites. Clients and third-party vendors may become indirect victims and could even be targeted directly by a separate attack.

Our Recommendations

To minimize the chances of a network breach, it is best to implement an array of mutually supporting security practices. Basic practices include but are not limited to: ensuring AV software and associated files and signatures are up to date; implementing MFA, particularly on VPN connections, external-facing servers, and privileged accounts; ensuring backup and recovery strategies are routinely scheduled, updating and implement employee training, specifically for email and web-browsing; conducting regular inventories of network assets and decommissioning unused assets immediately upon discovery; implementing operating system security patches as soon as possible following the announcement of a vulnerability; disabling file and printer sharing services or (if such services are required) harden these services with strong passwords or AD authentication.

Once these basic measures are in place, more robust security measures can be taken to further harden the environment. More advanced practices include but are not limited to: implementing regular penetration testing and implementing the tester recommendations as soon as possible following a penetration test; having security personnel and analysts report signs of pen testing to verify legitimacy; develop a playbook for remediation upon discovery of a successful attack; a playbook that brings every department into a collaborative team before a breach so as to decrease the reactionary gap. 

Sources

• https://www.zdnet.com/article/cybercriminals-scanned-for-vulnerable-microsoft-exchange-servers-within-five-minutes-of-news-going-public/

• https://cybertechaccord.org/supports-gfce-call-for-cvd/

Supporting Documentation

• https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/cortex-xpanse-asm-report.pdf

MITRE Mapping(s)

• https://attack.mitre.org/techniques/T1595/002/

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.