Companies exploited by high-risk vulnerabilities, new research shows
A significant 84% of companies have high risk vulnerabilities on the network perimeter, according to new data from Positive Technologies.
The company performed instrumental scanning of the network perimeter of selected corporate information systems, with a total of 3,514 hosts scanned, including network devices, servers, and workstations.
The results show the presence of high-risk vulnerabilities at most companies. However, half of these vulnerabilities can be eliminated by installing the latest software updates, the company states.
The research shows high-risk vulnerabilities at 84% of companies across finance, manufacturing, IT, retail, government, telecoms and advertising.
One or more hosts with a high-risk vulnerability that has a publicly available exploit are present at 58% of companies.
Publicly available exploits exist for 10% of the vulnerabilities found, which means attackers can exploit them even if they don't have professional programming skills or experience in reverse engineering, the researchers state.
Software updates as a fix
Data shows that the detected vulnerabilities are caused by the absence of recent software updates, outdated algorithms and protocols, configuration flaws, mistakes in web application code, and accounts with weak and default passwords.
As a result, Positive Technologies states almost half of detected vulnerabilities (47%) can be fixed by installing the latest software versions.
All companies had problems with keeping software up to date. At 42% of them, PT found software for which the developer had announced the end of life and stopped releasing security updates.
Analysis revealed remote access and administration interfaces, such as Secure Shell (SSH), Remote Desktop Protocol (RDP), and Network Virtual Terminal Protocol (Internet) TELNET, allow any external attacker to conduct brute force attacks.
Attackers can bruteforce weak passwords in a matter of minutes and then obtain access to network equipment with the privileges of the corresponding user before proceeding to develop the attack further, the researchers state.
The oldest vulnerability found in automated analysis was 16 years old.
Positive Technologies comments
Positive Technologies head of information security analytics research group Ekaterina Kilyusheva says, “Network perimeters of most tested corporate information systems remain extremely vulnerable to external attacks.
"Our automated security assessment proved that all companies have network services available for connection on their network perimeter, allowing hackers to exploit software vulnerabilities and bruteforce credentials to these services.
"Even in 2020, there are still companies vulnerable to Heartbleed and WannaCry. Our research found systems at 26% of companies are still vulnerable to the WannaCry encryption malware.”
Kilyusheva says, “At most of the companies, Positive Technologies experts found accessible web services, remote administration interfaces, and email and file services on the network perimeter.
"Most companies also had external-facing resources with arbitrary code execution or privilege escalation vulnerabilities. With maximum privileges, attackers can edit and delete any information on the host, which creates a risk of denial of service (DoS) attacks.
"On web servers, these vulnerabilities may also lead to defacement, unauthorised database access, and attacks on clients. In addition, attackers can pivot to target other hosts on the network."
The key to vulnerability management
Kilyusheva says, "We recommend minimising the number of services on the network perimeter and making sure that accessible interfaces truly need to be available from the internet. If this is the case, it is recommended to ensure that they are configured securely, and businesses install updates to patch any known vulnerabilities.”
She concludes, "Vulnerability management is a complex task that requires proper instrumental solutions. With modern security analysis tools, companies can automate resource inventories and vulnerability searches, and also assess security policy compliance across the entire infrastructure.
"Positive Technologies experts emphasise that automated scanning is only the first step toward achieving an acceptable level of security.
"To get a complete picture, it is vital to combine automated scanning with penetration testing. Subsequent steps should include verification, triage, and remediation of risks and their causes.”