Unpatched vulnerabilities provide an open door for Cybercrooks

Knock knock, whose there? A Cybercrook is exploiting known vulnerabilities to penetrate the organization for an easy picking.

The 2018 Open Source Security and Risk Analysis report released by Black Duck Software (a developer of auditing software for open-source security) shows, that the patching of vulnerabilities still leaves much to be desired. The research found that 78% of the codebases examined contained at least one unpatched vulnerability, and an average of 64 known exploits per codebase.

If we take a look at the Equifax breach and WannaCry ransomware attack, we see that hackers were able to exploit unpatched vulnerabilities in servers operating Windows 7 and Windows 8 by targeting organizations that ran unpatched Windows software. Even after one year, WannaCry remains a threat due to unpatched systems.

According to various research reports, more than half of the breaches (around 60%) exploited unpatched vulnerabilities. Around one third of victimized organizations were aware of their vulnerability but did not patch yet.

Cybercrooks are highly creative when targeting unpatched vulnerabilities. To give a few examples:

On a number of occasions during the first two quarters of 2018, cybercriminals used cryptomining malware (such as Coinhive and Cryptoloot) to target unpatched server vulnerabilities.

  • During May 2018, Hackers exploited unpatched vulnerabilities in widely-used email encryption tools PGP and S/MIME. Dubbed EFAIL, it abused active content of HTML emails to exfiltrate plaintext through requested URLs.
  • May 30th, A hacker exploited a vulnerability to bring down Ticketfly, a website for ticket distribution services. After the attacker requested unsuccessfully ransom for sharing details of the vulnerability, he/she subsequently posted the breached data (26 million unique email addresses along with names, physical addresses and phone numbers) online to a publicly accessible location.
  • During their so-called Unicorn attack which took place on May 2018, hackers exploited a previously unknown privilege-escalation vulnerability in Microsoft OSes predating Windows 8. It allowed untrusted code (as well as users who normally have limited system rights) to gain nearly unfettered access to the most sensitive resources of an OS. With just one click on a PDF, hackers could install their malware without any downloading needed. This attack exploited both PDF and Windows vulnerabilities.
  • During March 2018, the Drupalgeddon 2 vulnerability affected all sites running on Drupal 6 and later. Hackers exploited the vulnerability to install mining code on vulnerable sites such as the NHS England's website. Although the vulnerability was detected more than 2 months ago, on June 5th it was reported that more than 115,000 servers have remained unpatched.

For hackers, it’s quite easy to find potential victims by using websites such and Shodan to find out if organizations are vulnerable for e.g., Heartbleed and its successor OptionsBleed which is a security bug in the Apache Web Server (as opposed to OpenSSL) leveraged by making HTTP OPTIONS requests in order to potentially cause data leakage, the same way that Heartbleed still does.

To make sure that your organization is and will remain protected, there are two strategies that we at Cymulate recommend.

Firstly, prioritize patching. Whenever your SOC, IT or cybersecurity team gets an alert, make sure to run the update immediately. Any delay leaves a window of opportunity open for hackers.

Secondly, run assessments to test the organization’s security posture. Cymulate’s Breach & Attack (BAS) platform will test the complete scope of your security for detecting any vulnerabilities and will recommend mitigation when found.

  • The Immediate Threat alert assessment tests if your organization is vulnerable to the latest threats which allows you to take measures before such an attack will take place.
  • The Email security assessment helps you to test your corporate email security for potential exposure to a number of malicious payloads sent by email.
  • The Web Gateway assessment tests your organization’s HTTP/HTTPS outbound exposure to malicious websites using an extensive and continuously growing database of malicious and compromised websites for testing.
  • The Web Application Firewall assessment enables you to test your organization’s WAF security posture to web payloads by testing if the WAF configuration, implementation and features are able to block payloads before they get anywhere near the web applications.
  • The Hopper lateral movement assessment allows you to test your Organization’s Windows Domain Network configuration by using a sophisticated and efficient algorithm to mimic all the common and clever techniques that the most sophisticated hackers use to move around inside the network.
  • The Endpoint assessment tests if your organization’s endpoint solutions are tuned properly and if they are protecting your organization against the latest attack vectors by deploying and running real ransomware, Trojans, worms, and viruses on a dedicated endpoint in a controlled and safe manner.
  • The Phishing assessment allows you to assess the awareness of your organization’s employees regarding phishing campaigns in order to reduce the risk of spear phishing, ransomware or CEO fraud.
  • The Data Exfiltration assessment lets you test your organization’s outbound critical data safely by evaluating how well your organization’s Data Loss Prevention (DLP) solutions and controls prevent any extraction of critical information from outside the organization.

Cymulate’s platform enables the SOC team or the IT and cybersecurity teams of an organization to schedule automated assessments which can be conducted at any predefined time (e.g., every night, early in the morning, in the middle of the day etc.) to detect vulnerabilities and gaps in the organization’s security framework, its multiple security solutions as well as security controls.

It gives a comprehensive overview of the security posture of the organization since it shows its weak spots. The results of each assessment are presented in an easy-to-understand comprehensive report. Mitigation recommendations are offered for each threat that has been discovered depending on the type of attack and phase it reached in its distribution method.

This allows you to truly understand your organization’s security posture and take action to update and upgrade where necessary.

Want to learn more? Want to try it out? Contact Cymulate today for a free trial!

Filed Under: Cyber Attacks, Cybercrime, Penetration Testing, Security assessment, Data Breach, Vulnerabilities, Exploits