Sergey Nivens -

Malicious scans for at-risk systems start minutes after disclosure

Statistics collated by Palo Alto Networks reveal malicious actors begin scanning the internet for systems at risk of new CVEs within minutes

Malicious actors begin to scan for at-risk systems within an average of 15 minutes of the disclosure of a new Common Vulnerability and Exposure (CVE), and in many instances much quicker than that – scans for vulnerable Microsoft Exchange Server deployments began within five minutes back in March 2021.

This is according to newly released statistics collated by Palo Alto Networks’ Cortex Xpanse research team, which studied the public-facing attack surfaces of 50 global enterprises between January and March, monitoring scans of 50 million IP addresses.

It should come as no surprise that whenever a new CVE surfaces, the starting gun is fired on a race between attackers and defenders, but Palo Alto said there was currently a clear advantage for attackers – noting that it costs only around $10 to rent enough cloud computing power to do an imprecise scan of the entire internet.

“We know from the surge in successful attacks that adversaries are regularly winning races to patch new vulnerabilities. It’s hard to ignore the increasingly common first-hand experiences with breaches disrupting our digital lives, as well as the continuous flow of news reports chronicling the surge in cyber extortion,” said the research team in their report.

“Adversaries work around the clock to find vulnerable systems on enterprise networks that are exposed on the open internet. Exposure of enterprise systems has expanded dramatically over the past year to support remote workers. On a typical day, attackers conducted a new scan once every hour, whereas global enterprises can take weeks.”

Commenting on the headline findings, Travis Biehn, principal security consultant at Synopsys Software Integrity Group, said it was obvious why the good guys were lagging behind, as patching processes can take days, forcing defenders to rely on compensating controls to attempt to block and mitigate, or at the very least detect, new attacks in the short term.

However, he said: “The most sophisticated attackers, those who have clear objectives and targets known far in advance, map the corporate network footprint across private datacentres and cloud in advance.

“They also have automation and infrastructure ready to take advantage of new vulnerabilities before defences can kick in,” said Biehn.

The 2021 Cortex xpanse attack surface threat report found that nearly a third of vulnerabilities were due to issues with the widely used remote desktop protocol (RDP) – again unsurprising given the surge in its use to support remote workers. Because it can provide direct administrator access to critical systems such as servers, RDP has become one of the most easily and widely exploited gateways for ransomware attacks.

Other widely exposed vulnerabilities included misconfigured database servers, exposure to publicised zero-days (such as Microsoft Exchange ProxyLogon et al), and insecure remote access through protocols such as Telnet, Simple Network Management Protocol (SNMP), and Virtual Network Computing (VNC). Again, many of these exposures offer direct access to exploited, although they are easily patched.

The team also found cloud footprints were responsible for 79% of the most critical security problems at the enterprises it studied, highlighting how the nature of cloud computing increases risk in modern infrastructure.

Biehn added: “Minimising the exposed footprint and maximising zero-trust approaches, in light of mobile workforce considerations, is one strategy to tilt the balance in favour of defenders. Organisations should seek to understand what view attackers can build and what listening services are most likely to suffer in the event of exploitation.”

Read more about vulnerability disclosure

Read more on Hackers and cybercrime prevention

Data Center
Data Management