Attackers started scans for vulnerabilities just 5 minutes after Exchange Server flaws disclosed
Criminals began to scan the Internet for vulnerable Microsoft Exchange Servers within five minutes of the disclosure of critical zero-day flaws patched in early March, researchers report.
In the “2021 Cortex Xpanse Attack Surface Threat Report, ” Palo Alto Networks researchers examine threat data from 50 organizations, and some 50 million IP addresses, collected in the first quarter. Their analysis reveals attackers scan to inventory vulnerable Internet assets once per hour and even more often — within 15 minutes or less — following the disclosure of CVEs.
“When an exploit is published, the time from then until when we start to see follow-on scanning spike in volume is now just minutes,” says Tim Junio, senior vice president of products for Cortex at Palo Alto Networks. “That is a huge change from a few years ago.”
Within five minutes of Microsoft’s disclosure of the Exchange Server vulnerabilities, Junio says people from around the world were scanning for exposed servers. There are several factors working in attackers’ favor, such as cost: The report notes criminals would only need about $10 to rent the cloud computing power they need for an “imprecise scan” for vulnerable systems.
The ease of scanning for vulnerable systems has also driven an increase in both analysts and criminals who scan for vulnerabilities and infrastructure. To identify new victims, scanners need only a target, usually a list of IPs or a particular flaw, researchers note. Junio acknowledges some of these scans could be legitimate security researchers, though likely not all of them. In the past five years, attackers have perfected techniques that scale at speed, the report states.
Organizations’ comparatively slow response also gives them an edge. Global enterprises need an average of 12 hours to detect vulnerable systems, researchers report, and this assumes businesses know about all assets on their network. The fastest ones patched vulnerable Exchange Servers within days, Junio notes, but many large businesses took weeks to do it.
“That is actually really hard to do if you don’t have an up-to-date inventory of everything that’s running on your network,” he says, adding that many organizations don’t have a complete list.
Junio believes attackers’ quick response to the Exchange Server flaws is not a one-off event but part of a growing trend. As researchers were analyzing data for this report, they noticed scans begin within 15 minutes of disclosures for flaws in other Internet-facing products, he says.
To read the complete article, visit Dark Reading.