The breach of SolarWinds and its Orion Platform software captivated our collective attention in the final weeks of 2020. While arguably it was, and continues to be, considered the most significant event of the year, it is not the attack path most organisations should fear.
As Satnam Narang, staff research engineer at Tenable says,while backdoors in cybersecurity software might capture the headlines, attackers are far more predictable in their tactics. Threat actors are creatures of habit. They like to do what they know will work and exploiting unpatched vulnerabilities presents a rich vein for them to tap.
When you examine the data, troublingly, threat actors are relying on unpatched vulnerabilities in their attacks. These ‘broken windows’ are primarily used to gain initial access into a target network. From there, the attackers can leverage serious vulnerabilities like Zerologon in order to elevate privileges, granting themselves the ability to gain access to domain controllers within the network.
Last year, government agencies issued several advisories warning about attackers leveraging vulnerabilities that had patches available, yet remained unmitigated. However, not all vulnerabilities are created equal. In fact, according to Tenable’s research of high-profile vulnerabilities in 2020, not all critical vulnerabilities had a name and/or logo given to them.
Conversely, not every vulnerability that did have a name and logo assigned were seen as critical. Instead, other factors need to be considered when weighing the severity of a vulnerability, including the presence of proof-of-concept (PoC) exploit code and ease of exploitation.
Given the dramatic changes necessitated by the COVID-19 pandemic, the uncertainty is a bonus for cybercriminals. As Governments globally mandated citizens to limit movement, there was an unprecedented shift for businesses to remote working, and schools to distance learning.
This created a brand new set of security challenges from relying on tools, such as VPNs and remote desktop protocol (RDP), to introducing new applications for video conferencing. Pre-existing vulnerabilities in virtual private network (VPN) solutions many of which were initially disclosed in 2019 or earlier proved a favourite target for cybercriminals and nation-state groups in 2020.
While attackers favour known vulnerabilities, there were some zero-days exploited in 2020. Web browsers particularly Google Chrome, Mozilla Firefox, Internet Explorer and Microsoft Edge were the primary targets, accounting for more than 35% of all zero-day vulnerabilities exploited in the wild. Considering that the browser is the gateway to the internet, patching these assets is essential to the security of the enterprise network.
What this teaches us
As the attack surface expands, vulnerability management has a central role to play in modern cybersecurity strategies. Unpatched vulnerabilities leave sensitive data and critical business systems exposed and represent lucrative opportunities for ransomware actors.
Remediation needs to be handled with a risk-based approach, with a clear understanding of the impact patching will have on business operations, before deploying to a live environment. This is no small task for an organisation of any size, and can be especially difficult for those with large and diverse environments. Modern vulnerability management can be broken down into the following key stages:
- Identify and remove unnecessary services and software
- Limit reliance on third-party libraries
- Implement a secure software development lifecycle
- Practice accurate asset detection across the entire attack surface, including information technology, operational technology and internet of things, regardless of whether they reside in the cloud or on premises.
Find and fix
When looking at the vulnerabilities to find and fix, there were five that were primarily targeted throughout 2020. These include three legacy vulnerabilities from 2019 in virtual private network solutions from Citrix, Pulse Secure and Fortinet:
- CVE-2020-1472 – Zerologon
- CVE-2019-19781 – Citrix ADC/Gateway/SDWAN WAN-OP
- CVE-2019-11510 – Pulse Connect Secure SSL VPN
- CVE-2018-13379 – Fortinet Fortigate SSL VPN
- CVE-2020-5902 – F5 BIG-IP
Browser-based vulnerabilities are easy enough to consider prioritising in the remediation process due to their ease of patching, however they do not necessarily carry the greatest risk. Devices such as firewalls, domain controllers and VPNs could have a significantly greater impact if compromised and more care is needed when testing and applying patches or mitigations.
Patching email servers should also be a priority to prevent exploitation and protect confidential information. In tandem, educating staff on email best practices and raising security awareness in areas such as phishing should also be a top priority.
Each device, each asset in the infrastructure, needs to be considered as having the potential to ‘go rogue’. It’s imperative that steps are taken to minimise the privileges and the attack surface to which they have access. While few organisations would have the wherewithal to prevent a breach as sophisticated as SolarWinds, thankfully few need to. Sound cyber hygiene practices, as outlined above, can help thwart most attacks perpetrated by cybercriminals.
The author is Satnam Narang, staff research engineer, Tenable.