Most companies have high-risk vulnerabilities on their network perimeter

Positive Technologies performed instrumental scanning of the network perimeter of selected corporate information systems. A total of 3,514 hosts were scanned, including network devices, servers, and workstations.

network perimeter vulnerabilities

The results show the presence of high-risk vulnerabilities at most companies. However, half of these vulnerabilities can be eliminated by installing the latest software updates.

The research shows high-risk vulnerabilities at 84% of companies across finance, manufacturing, IT, retail, government, telecoms and advertising. One or more hosts with a high-risk vulnerability having a publicly available exploit are present at 58% of companies.

Publicly available exploits exist for 10% of the vulnerabilities found, which means attackers can exploit them even if they don’t have professional programming skills or experience in reverse engineering. However, half of the vulnerabilities can be eliminated by installing the latest software updates.

The detected vulnerabilities are caused by the absence of recent software updates, outdated algorithms and protocols, configuration flaws, mistakes in web application code, and accounts with weak and default passwords.

Vulnerabilities can be fixed by installing the latest software versions

As part of the automated security assessment of the network perimeter, 47% of detected vulnerabilities can be fixed by installing the latest software versions.

All companies had problems with keeping software up to date. At 42% of them, PT found software for which the developer had announced the end of life and stopped releasing security updates. The oldest vulnerability found in automated analysis was 16 years old.

Analysis revealed remote access and administration interfaces, such as Secure Shell (SSH), Remote Desktop Protocol (RDP), and Network Virtual Terminal Protocol (Internet) TELNET. These interfaces allow any external attacker to conduct bruteforce attacks.

Attackers can bruteforce weak passwords in a matter of minutes and then obtain access to network equipment with the privileges of the corresponding user before proceeding to develop the attack further.

Ekaterina Kilyusheva, Head of Information Security Analytics Research Group of Positive Technologies said: “Network perimeters of most tested corporate information systems remain extremely vulnerable to external attacks.

“Our automated security assessment proved that all companies have network services available for connection on their network perimeter, allowing hackers to exploit software vulnerabilities and bruteforce credentials to these services.

“Even in 2020, there are still companies vulnerable to Heartbleed and WannaCry. Our research found systems at 26% of companies are still vulnerable to the WannaCry encryption malware.”

Minimizing the number of services on the network perimeter is recommended

Kilyusheva continued: “At most of the companies, experts found accessible web services, remote administration interfaces, and email and file services on the network perimeter. Most companies also had external-facing resources with arbitrary code execution or privilege escalation vulnerabilities.

“With maximum privileges, attackers can edit and delete any information on the host, which creates a risk of DoS attacks. On web servers, these vulnerabilities may also lead to defacement, unauthorized database access, and attacks on clients. In addition, attackers can pivot to target other hosts on the network.

“We recommend minimizing the number of services on the network perimeter and making sure that accessible interfaces truly need to be available from the Internet. If this is the case, it is recommended to ensure that they are configured securely, and businesses install updates to patch any known vulnerabilities.

“Vulnerability management is a complex task that requires proper instrumental solutions,” Kilyusheva added. “With modern security analysis tools, companies can automate resource inventories and vulnerability searches, and also assess security policy compliance across the entire infrastructure. Automated scanning is only the first step toward achieving an acceptable level of security. To get a complete picture, it is vital to combine automated scanning with penetration testing. Subsequent steps should include verification, triage, and remediation of risks and their causes.”

Layered security becomes critical as malware attacks rise

Despite an 8% decrease in overall malware detections in Q2 2020, 70% of all attacks involved zero day malware – variants that circumvent antivirus signatures, which represents a 12% increase over the previous quarter, WatchGuard found.

malware detections Q2 2020

Malware detections during Q2 2020

Attackers are continuing to leverage evasive and encrypted threats. Zero day malware made up more than two-thirds of the total detections in Q2, while attacks sent over encrypted HTTPS connections accounted for 34%. This means that organizations that are not able to inspect encrypted traffic will miss a massive one-third of incoming threats.

Even though the percentage of threats using encryption decreased from 64% in Q1, the volume of HTTPS-encrypted malware increased dramatically. It appears that more administrators are taking the necessary steps to enable HTTPS inspection, but there’s still more work to be done.

“Businesses aren’t the only ones that have adjusted operations due to the global COVID-19 pandemic – cyber criminals have too,” said Corey Nachreiner, CTO of WatchGuard.

“The rise in sophisticated attacks, despite the fact that overall malware detections declined in Q2 2020, likely due to the shift to remote work, shows that attackers are turning to more evasive tactics that traditional signature-based anti-malware defences simply can’t catch.

“Every organization should be prioritising behaviour-based threat detection, cloud-based sandboxing, and a layered set of security services to protect both the core network, as well as remote workforces.”

JavaScript-based attacks are on the rise

The scam script Trojan.Gnaeus made its debut at the top of WatchGuard’s top 10 malware list for Q2, making up nearly one in five malware detections. Gnaeus malware allows threat actors to hijack control of the victim’s browser with obfuscated code, and forcefully redirect away from their intended web destinations to domains under the attacker’s control.

Another popup-style JavaScript attack, J.S. PopUnder, was one of the most widespread malware variants last quarter. In this case, an obfuscated script scans a victim’s system properties and blocks debugging attempts as an anti-detection tactic.

To combat these threats, organizations should prevent users from loading a browser extension from an unknown source, keep browsers up to date with the latest patches, use reputable adblockers and maintain an updated anti-malware engine.

Attackers increasingly use encrypted Excel files to hide malware

XML-Trojan.Abracadabra is a new addition to the top 10 malware detections list, showing a rapid growth in popularity since the technique emerged in April.

Abracadabra is a malware variant delivered as an encrypted Excel file with the password “VelvetSweatshop”, the default password for Excel documents. Once opened, Excel automatically decrypts the file and a macro VBA script inside the spreadsheet downloads and runs an executable.

The use of a default password allows this malware to bypass many basic antivirus solutions since the file is encrypted and then decrypted by Excel. Organizations should never allow macros from an untrusted source, and leverage cloud-based sandboxing to safely verify the true intent of potentially dangerous files before they can cause an infection.

An old, highly exploitable DoS attack makes a comeback

A six-year-old DoS vulnerability affecting WordPress and Drupal made an appearance on a list of top 10 network attacks by volume in Q2. This vulnerability is particularly severe because it affects every unpatched Drupal and WordPress installation and creates DoS scenarios in which bad actors can cause CPU and memory exhaustion on underlying hardware.

Despite the high volume of these attacks, they were hyper-focused on a few dozen networks primarily in Germany. Since DoS scenarios require sustained traffic to victim networks, this means there’s a strong likelihood that attackers were selecting their targets intentionally.

Malware domains leverage command and control servers to wreak havoc

Two new destinations made top malware domains list in Q2. The most common was findresults[.]site, which uses a C&C server for a Dadobra trojan variant that creates an obfuscated file and associated registry to ensure the attack runs and can exfiltrate sensitive data and download additional malware when users start up Windows systems.

One user alerted the WatchGuard team to Cioco-froll[.]com, which uses another C&C server to support an Asprox botnet variant, often delivered via PDF document, and provides a C&C beacon to let the attacker know it has gained persistence and is ready to participate in the botnet.

DNS firewalling can help organizations detect and block these kinds of threats independent of the application protocol for the connection.