Buried mines remain a lethal threat for decades, and the same is true for IT security breaches. It can therefore be a fatal fallacy to believe that identified software vulnerabilities are no longer dangerous. Anyone who is careless and thinks to wait before closing the gateway, which is urgently needed, because there are currently much more important things to do within their own IT infrastructure, is vastly mistaken. Because it is precisely this negligence that many hackers rely on and look one more time where the patch failed to appear.
Hackers are by no means exclusively withdrawing from IT networks to look for new, unknown vulnerabilities elsewhere. Even a few years after vulnerabilities were discovered, the number of systems that are still open is alarming. Barracuda security experts recently analyzed data from attacks blocked by Barracuda systems over the past two months. In doing so, they found hundreds of thousands of automated scans and attacks as well as thousands of scans – daily – for the recently patched vulnerabilities ofand VMware.
In the following, the attack patterns are examined in more detail and measures are shown that companies can use to protect their infrastructure.
Unpatched software vulnerabilities
The Microsoft hafnium vulnerability was first disclosed in March 2021. The vulnerabilities that were exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that allows attackers to send arbitrary HTTP requests and authenticate themselves as an Exchange server. CVE-2021-26855 is the preferred choice to identify vulnerable systems. The remaining vulnerabilities appear to be chained to this vulnerability in order to carry out further exploits, including so-called webshells. A webshell is a malicious web-based interface that allows remote access and control of a web server by executing any command.
Since the beginning of March, the security analysts have been able to determine an initially moderate and later significant increase in exploratory attempts for CVE-2021-26855, which continues to this day, with the exploratory attempts increasing at times and then falling to a lower level.
A second drastic security vulnerability with the identifier CVE-2021-21972 affected more than 6,700 VMware vCenter servers that were accessible via the Internet at the beginning of the year. Criminals could take control of an unpatched server and infiltrate a company’s entire network. Barracuda’s analysts continued to scan for CVE-2021-21972 on a regular basis. There was a decrease in the number of probes, but it does not have to stay that way. It is to be expected that these scans will increase again from time to time as attackers go through the list of known security vulnerabilities with high impact.
These two events show that attackers will continue to explore and exploit software vulnerabilities, particularly severe ones, for some time after patches and remedial measures have been released. Hackers speculate on the IT teams’ lack of time, which makes it difficult to keep up with constant patching.
Hackers also seem to be going into the weekend
What do the attack patterns look like in particular? While bots used to adapt to the course of a working day in order to carry out their attacks, the working week is now the same for both attackers and potential victims. This shows the curiosity that most attackers seem to be taking the weekend off, even when performing automated attacks. The reason for this is probably less an increased need for relaxation than the fact that it is easier to hide in the crowd during various activities than to set off an alarm by tackling less-used systems on the weekend.
Command injection against SQL and command injection attacks
How can the attacks be assigned to the common attack types of exploration attempts / fuzzing and attacks on application vulnerabilities (WordPress was the most popular)? As a rule, these are primarily SQL injection attacks before command injection attacks, followed by all other types of attack. During the period of the investigation, however, command injection was by far the leader – including numerous attempts to inject commands against Windows. These attacks peaked over two weeks in June and then returned to normal levels. The other attacks were more or less at the expected level, although no specific attack patterns could be identified in the various categories. It is also imperative to enable HTTPS with Lets Encrypt integration and ensure that the configuration is updated so that the latest protocols can be used. The currently most secure protocols are TLS1.3 and TLS1.2. There are still implementations on the way that use simple HTTP, but interestingly, the simple HTTP traffic has a higher volume than the older and insecure SSL / TLS protocols.
WAF or WAAP: definitely configured correctly
Attacks that want to exploit known software vulnerabilities often pose a challenge for IT teams in the search for the necessary solutions due to the large number of them. So it’s good to know that these solutions are consolidated into WAF / WAF-as-a-Service products, also known as Web Application and API Protection Services (WAAP). Gartner defines WAAP services as the “evolution of cloud WAF services.” If WAAP services were a cloud-based as-a-service delivery of WAF, bot mitigation, DDoS protection and API security with a subscription -Model combine.
Organizations should definitely consider a WAF-as-a-Service or WAAP solution that includes bot mitigation, DDoS protection, API security, and credential stuffing protection – and make sure it is configured correctly.