Attackers began searching the Internet for unpatched Microsoft Exchange servers within five minutes after Microsoft’s security advisory disclosing four zero-day vulnerabilities MS Exchange servers went public, according to the 2021 Cortex Xpanse Attack Surface threat report from Palo Alto Networks.
In March 2021, Microsoft discovered a new China-backed hacking group, which it dubbed Hafnium, targeting Exchange servers using a set of vulnerabilities known as ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065). All of them were described as an input validation error issue and allow remote code execution using specially crafted data sent to the Exchange server.
The Palo Alto’s report compiles data from enterprise companies that was collected between January and March 2021. Altogether, the researchers monitored 50 million IP addresses associated with 50 global enterprises, including a subset of the Fortune 500.
According to the report, attackers scan to inventory vulnerable Internet assets once per hour and even more often — within 15 minutes or less — following the disclosure of CVEs. On average, enterprises need 12 hours to find vulnerable systems, and this assumes businesses know about all assets on their network.
There are several factors that allow cybercriminals to faster take advantage of new vulnerabilities. One of them is that “computing has become so inexpensive that a would-be attacker need only spend about $10 to rent cloud computing power to do an imprecise scan of the entire internet for vulnerable systems,” the report said.
The research also found that Remote Desktop Protocol (RDP) was one of the most common security issues among enterprise networks accounting for 32% of overall security weaknesses. Other commonly exposed vulnerabilities included misconfigured database servers, exposure to high-profile zero-day flaws, and insecure access via Telnet, SNMP, VNC, and other protocols. Cloud footprints were responsible for 79% of the most critical security issues found in global enterprises.
“The cloud is inherently connected to the internet and it’s surprisingly easy for new publicly accessible cloud deployments to spin up outside of normal IT processes, which means they often use insufficient default security settings and may even be forgotten,” the researchers said.