CVE-2023-34362, CVE-2023-35036, and failed vulnerability management. That is what hundreds of organizations across the world currently have in common. And the impending probability of the Cl0p ransomware group listing them as victims.
The Cl0p ransomware group has been targeting unsuspecting victims by exploiting the latest vulnerability in enterprise managed file transfer (MFT) software, MOVEit Transfer. They used a SQL injection vulnerability to carry out their attacks.
This is not the first time the group has used such tactics. In February 2023, it took responsibility for over 130 attacks by exploiting a zero-day vulnerability in Fortra GoAnywhere MFT (CVE-2023-0669).
Additionally, in December 2020, they exploited zero-day vulnerabilities in Accellion’s outdated file-transfer application software, resulting in data theft from more than 100 companies. It’s worth noting that in all three campaigns, the Clop ransomware group chose not to deploy their own malicious software.
Vulnerability management has become as crucial as any core business decision. The latest numbers attest to it.
Vulnerabilities disclosed, vulnerabilities exploited
Approximately 34 percent of vulnerabilities reported in May pose a significant security risk, with over 56 percent being remotely exploitable, according to the Flashpoint Cyber Threat Intelligence Index.
A comprehensive analysis of vulnerability intelligence for the month of May has unveiled concerning trends regarding the severity and exploitability of reported vulnerabilities
A total of 1,983 new vulnerabilities were reported, and alarmingly, 323 of them went unnoticed by the Common Vulnerabilities and Exposures (CVE) and National Vulnerability Database (NVD) systems.
Of the vulnerabilities disclosed in May, approximately 34% were rated as high-to-critical in severity. This indicates that if these vulnerabilities were to be exploited, they could potentially lead to significant security breaches and pose a considerable risk to organizations and individuals alike.
Furthermore, over 56% of the reported vulnerabilities were found to be remotely exploitable. This means that threat actors could execute malicious code regardless of the device’s physical location.
The ability to exploit vulnerabilities remotely significantly increases the potential impact and scope of cyberattacks, underscoring the need for proactive security measures.
Any business that understands the gravity of the situation would streamline the efforts of their vulnerability management teams by focusing on actionable vulnerabilities classified as high severity.
“Vulnerability management teams can potentially lessen workloads by nearly 88 percent by focusing on actionable, high severity vulnerabilities. This classification is given to vulnerabilities that are remotely exploitable, that have a public exploit, and a viable solution,” said the report.
This strategic approach ensures that the most critical vulnerabilities receive immediate attention and resources, enhancing overall cybersecurity posture.
While it is difficult to assess the impact of a risk averted, there are several instances where companies suffered because of faulty vulnerability management.
There have been significant cyber attacks where organizations suffered the consequences of inadequate management of IT or OT vulnerabilities. Here are a few examples:
NotPetya was a destructive cyber attack that targeted organizations worldwide. It spread through a compromised software update of an accounting program called M.E.Doc, which originated from Ukraine.
The attack took advantage of vulnerabilities in the IT systems of affected organizations, particularly their use of unpatched or outdated software.
NotPetya caused widespread disruption, impacting companies like Maersk, Merck, and FedEx. It resulted in substantial financial losses, system outages, and affected global supply chains.
At the root of it was EternalBlue, an exploit that capitalizes on a vulnerability present in the Server Message Block (SMB) protocol of Windows.
EternalBlue is widely believed to have originated from the U.S. National Security Agency (NSA). It was inadvertently disclosed in April 2017 and was subsequently utilized by the WannaCry ransomware as well.
“We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world,” said the Microsoft report on the situation.
“Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen.”
The Triton attack focused on a petrochemical plant in Saudi Arabia and aimed to manipulate the safety systems, specifically the Triconex Safety Instrumented System (SIS).
The attackers exploited vulnerabilities in the plant’s OT environment, gaining unauthorized access to the SIS and attempting to cause physical damage.
Although the attack did not succeed in causing harm, it highlighted the potential consequences of inadequate management of OT vulnerabilities, including safety risks and the possibility of industrial accidents.
In this case, a zero-day privilege-escalation vulnerability in the Triconex Tricon safety-controller firmware helped allow sophisticated hackers to wrest control of the emergency shutdown system in a targeted attack on one of its customers.
“To deploy the malware, the attackers compromised an SIS engineering workstation. Actions taken by the attackers from the compromised system resulted in the controllers entering a failed safe state, automatically shutting down the industrial process,” said an NCSC advisory.
Colonial Pipeline Attack (2021)
The Colonial Pipeline, a major fuel pipeline operator in the United States, fell victim to a cyber attack that exploited vulnerabilities in its IT systems.
The attack utilized a compromised password to gain unauthorized access to the company’s network, resulting in a temporary shutdown of the pipeline system.
This led to fuel shortages, price increases, and disruptions in the supply chain along the U.S. East Coast.
In this case, the vulnerability was in the policy and process.
During a hearing on June 8 before a House Committee on Homeland Security, Charles Carmakal, the Senior Vice President and CTO of cybersecurity firm Mandiant, revealed that attackers gained entry to the Colonial Pipeline network by exploiting an exposed password associated with a VPN account.
To establish secure and encrypted remote access to a corporate network, many organizations utilize a Virtual Private Network (VPN).
As per Carmakal’s testimony, an employee of Colonial Pipeline, whose identity was not disclosed during the hearing, apparently employed the same password for the VPN in another context. This password was somehow compromised as a result of a separate data breach.
Vulnerability management: The broader classification
Vulnerability management starts with understanding the broader types and nature of them. They can be broadly classified as process vulnerabilities and policy vulnerabilities.
While policy vulnerabilities very according to region and business, process vulnerabilities – bugs in IT and OT systems – are largely of the same nature.
IT and OT (Information Technology and Operational Technology) vulnerabilities refer to the weaknesses or flaws that can be exploited in computer systems, networks, and devices used in both IT and OT environments. Here’s some information about IT and OT vulnerabilities.
IT Vulnerabilities
Software vulnerabilities: These are weaknesses in software programs, operating systems, or applications that can be exploited to gain unauthorized access, execute malicious code, or disrupt system functionality.
The ten most common software vulnerabilities are broken access control, cryptographic failures, injection flaws, insecure design, security misconfigurations, vulnerable and outdated components, identification and authentication failures, software and data integrity failures, security logging and monitoring failures, and server-side request forgery, according to cybersecurity company Preforce.
Network vulnerabilities: These vulnerabilities exist in network infrastructure and protocols, making it possible for attackers to intercept, manipulate, or eavesdrop on network communications.
It can be physical and non-physical.
Non-physical network vulnerabilities typically pertain to software or data. For instance, if an operating system (OS) is not regularly updated with the latest security patches, it may become susceptible to network attacks.
In such cases, if the OS remains unpatched, it could be infected by a virus, potentially compromising the host it resides on and even the entire network. Physical network vulnerabilities, on the other hand, relate to the physical protection of assets.
“For example, an operating system (OS) might be vulnerable to network attacks if it’s not updated with the latest security patches. If left unpatched a virus could infect the OS, the host that it’s located on, and potentially the entire network.,” said an explainer by cybersecurity company Purplesec.
Human vulnerabilities: Humans can be exploited as a weak link in IT security. Social engineering techniques such as phishing, pretexting, and baiting are used to trick individuals into revealing sensitive information or performing actions that compromise security.
According to The Global Risks Report 2022 by the World Economic Forum, about 95% of cybersecurity incidents occur due to human error.
OT Vulnerabilities:
Legacy systems: Many OT systems were designed and implemented before robust cybersecurity practices were established. These systems often lack built-in security measures and are susceptible to vulnerabilities that can be exploited by attackers.
WannaCry attack stands as the biggest proof of what legacy systems can do to your cybersecurity posture.
“Even though Microsoft was able to patch the vulnerability for the Windows systems, many organizations failed to update their existing systems or delayed the patch installations as the new patch installations would negatively impact the legacy systems,” said an Intellipaat report.
Convergence vulnerabilities: As IT and OT systems increasingly converge, the vulnerabilities of one system can impact the other. Attacks targeting IT infrastructure can potentially propagate to OT systems, disrupting critical operations.
“Over the past year, Microsoft has observed threats exploiting devices in almost every monitored and visible part of an organization. We have observed these threats across traditional IT equipment, OT controllers and IoT devices like routers and cameras,” said a Microsoft report on convergence risks.
“The spike in attackers’ presence in these environments and networks is fueled by the convergence and interconnectivity many organizations have adopted over the past few years.”
Weak authentication and authorization: OT systems may rely on weak or outdated authentication methods, such as default passwords or shared credentials, making it easier for attackers to gain unauthorized access and manipulate operational processes.
“Poor or missing authentication schemes allow an adversary to anonymously execute functionality within the mobile app or backend server used by the mobile app,” said an OWASP report.
“Weaker authentication for mobile apps is fairly prevalent due to a mobile device’s input form factor. The form factor highly encourages short passwords that are often purely based on 4-digit PINs.”
Speaking of mobile apps takes us to the next category.
Remote access vulnerabilities: With the rise of remote connectivity, remote access to OT systems can introduce vulnerabilities if not properly secured. Unauthorized access to OT systems can lead to operational disruptions, safety incidents, or damage to physical assets.
According to cybersecurity company Bitsight, the most common remote access vulnerabilities are lack of established protocols, unsecured networks, unauthorized apps, and unauthorized access to devices.
Supply chain vulnerabilities: OT systems often rely on components and software from third-party vendors. If these components contain vulnerabilities or are compromised during the supply chain, it can expose OT systems to potential attacks.
“A supply chain incident happens when the components that make up the OT system are compromised. This was demonstrated in the recent SolarWinds attack,” said a report by ARC Advisory Group.
“In this case, a software company that sells network management tools had their servers compromised, causing them to update customer’s computer systems with software that had malicious software, which in turn infiltrated their customer’s systems.”
It’s important to note that the specific vulnerabilities and best practices can vary depending on the industry, organization, and specific IT and OT systems in use. Regular security assessments and engaging with cybersecurity experts can help identify and address vulnerabilities effectively.
Effective vulnerability management: The six crucial steps
Effective Vulnerability management is a proactive approach to identify, assess, prioritize, and mitigate vulnerabilities in computer systems, software applications, networks, and other digital assets.
It involves a systematic and ongoing process of discovering, analyzing, and addressing vulnerabilities to minimize the risk of exploitation by potential attackers.
The goal of vulnerability management is to ensure that organizations have a clear understanding of their vulnerabilities and can effectively prioritize and remediate them based on the level of risk they pose. This helps organizations maintain a strong security posture, reduce the likelihood of successful attacks, and protect sensitive data and resources.
The vulnerability management process typically involves these key steps:
Vulnerability Assessment: This step involves scanning systems, networks, and applications using automated tools to identify known vulnerabilities. These tools search for weaknesses in configurations, software versions, and potential security flaws.
“A vulnerability assessment is the testing process used to identify and assign severity levels to as many security defects as possible in a given timeframe. This process may involve automated and manual techniques with varying degrees of rigor and an emphasis on comprehensive coverage,” said a Synopsys definition of the term.
“Using a risk-based approach, vulnerability assessments may target different layers of technology, the most common being host-, network-, and application-layer assessments.”
Vulnerability Prioritization: Once vulnerabilities are identified, they are evaluated based on their severity, potential impact, and exploitability, said a Purplesec explainer.
This helps prioritize which vulnerabilities should be addressed first, considering the level of risk they pose to the organization.
“Then, develop a risk-based remediation plan focusing on high-risk vulnerabilities while continuously monitoring and retesting to ensure effective vulnerability management,” the explainer said.
Remediation Planning: After prioritization, organizations develop a plan to address the identified vulnerabilities. This may involve applying security patches, implementing configuration changes, updating software versions, or applying other security measures to mitigate the risks.
“Remediation of network vulnerabilities is something every organization wants done before hackers exploit the weaknesses. Effective remediation entails continuous processes that together are called Vulnerability Management,” said the Guide to Effective Remediation of Network Vulnerabilities by Qualys.
Patch Management: Organizations ensure that all systems and software are regularly updated with the latest security patches and updates. Patch management involves monitoring vendor releases, testing patches, and deploying them in a timely manner to close security vulnerabilities.
The process is different from the broader process of vulnerability management, noted a Purplesec report.
“The main difference between patch management and vulnerability management is that patch management is the operational process of applying remediations (patches) to vulnerable systems,” it said.
“Vulnerability management is the process of identifying, scanning and prioritizing vulnerabilities for remediation.”
Ongoing Monitoring: Continuous monitoring of systems and networks is crucial to identify new vulnerabilities that may arise due to changes in software, configurations, or emerging threats. Regular vulnerability scanning and monitoring help maintain a proactive approach to security.
“For continuous monitoring, scheduling daily or weekly scans of systems and subnets will produce enough data for a sound baseline of what is running in the environment and at a system level, which can then be assessed against newer scans to determine what has changed and what the risks are,” said a BeyondTrust report.
“Most enterprise vulnerability scanners can cover web and database technologies adequately as a starting point, too, and you can add more specialized tools later if you need more in-depth information.”
Incident Response: In case a vulnerability is exploited or an attack occurs, incident response protocols should be in place to detect, contain, and remediate the incident effectively.
This involves investigating the root cause, recovering systems, and implementing additional security measures to prevent future incidents.
“The incident response process starts with the declaration of the incident,” said a CISA Playbook on cybersecurity incident and vulnerability response.
“In this context, “declaration” refers to the identification of an incident and communication to CISA and agency network defenders rather than formal declaration of a major incident as defined in applicable law and policy.”
Overall, vulnerability management is an essential part of an organization’s cybersecurity strategy. It helps protect against potential security breaches, reduces the attack surface, and ensures the timely and effective mitigation of vulnerabilities to maintain a secure environment.
