Vulnerable Internet-Exposed Applications Compromised in 24 Hours, Report Shows

Vulnerable Internet-Exposed Applications Compromised in 24 Hours, Report Shows

A study conducted by researchers from Palo Alto Networks' Unit 42 found that vulnerable internet-exposed applications are compromised in just 24 hours.

Vulnerable internet-exposed applications once compromised pose a security risk to cloud environments within the same infrastructure. 

Honeypots

Between July 2021 and August 2021, Unit 42 researchers set up 320 honeypots to verify how fast threat actors compromise four vulnerable internet-exposed applications, namely, secure shell protocol (SSH), remote desktop protocol (RDP), Samba, and Postgres.

Honeypots are network-attached computers that are purposely set up to lure threat actors to access these network-attached computers. Honeypots are set up to study the attackers’ methodologies.

SSH is a protocol that allows users to open remote shells on other computers. Samba is a free software re-implementation of the Server Message Block (SMB) networking protocol. SMB is a communication protocol used for sharing access to files, printers, serial ports for Windows computers on the same network or domain.

RDP, meanwhile, is a network communications protocol developed by Microsoft, allowing users to remotely connect to another computer. Postgres, also known as PostgreSQL, is an enterprise-class open source database management system.

Access to any of these four standard applications allows attackers to remotely connect to the victim’s network and perform malicious activities such as further compromising cloud environments within the same network.

The honeypots deployed by the Unit 42 researchers had vulnerable SSH, Samba, RDP, and Postgres. For instance, they intentionally use weak usernames and weak passwords.

Weaknesses in SSH, Samba, RDP, and Postgres are often exploited by cyberattackers. Ransomware groups, including REvil and Mespinoza, are known to exploit internet-exposed applications to gain initial access to victims' environments.

In Q3 2021, Digital Shadows reported that RDP and SSH are among the top access of choice of Initial Access Brokers – individuals or groups that act as intermediaries in identifying vulnerable organizations and selling access to the networks of these vulnerable organizations to the highest bidder.

Unit 42 researchers found that 80% of the 320 honeypots were compromised within 24 hours and all of the honeypots were compromised within a week. Out of the four vulnerable internet-exposed applications, SSH was the most attacked application and on average, each SSH honeypot was compromised 26 times daily.

The researchers also found that one threat actor compromised 96% of 80 Postgres honeypots globally within 30 seconds. The researchers’ honeypots applied firewall policies to block IPs from known network scanners. They found that blocking known scanner IPs is ineffective in mitigating attacks as 85% of the attacker IPs were observed only on a single day.

"This number indicates that Layer 3 IP-based firewalls are ineffective as attackers rarely reuse the same IPs to launch attacks,” Unit 42 researchers said. “A list of malicious IPs created today will likely become outdated tomorrow.”

The researchers also found that vulnerable internet-exposed applications were compromised multiple times by multiple different attackers. As attackers competed for the victim’s resources, tools such as Rocke or TeamTNT were used to remove the malicious software (malware) left by other cyberattackers. 

Scanning Activities

"The speed of vulnerability management is usually measured in days or months,” Unit 42 researchers said. “The fact that attackers could find and compromise our honeypots in minutes was shocking. When a misconfigured or vulnerable service [application] is exposed to the internet, it takes attackers just a few minutes to discover and compromise the service.”

The speed at which threat actors find vulnerable internet-facing applications is achieved through the process called scanning. Threat actors aren’t alone in finding vulnerable internet-facing applications through scanning.

Legitimate scanning service providers, such as Shodan, Censys, and Shadowserver, allow users to find vulnerable internet-facing applications. These legitimate scanning service providers have fixed IP addresses. Threat actors, on the other hand, as shown in the findings of the Unit 42 researchers, don’t use fixed IP addresses, but rather change their IP addresses every day.

Unit 42 researchers identified an average of 75,000 unique scanner IP addresses globally that enumerated more than 9,500 different ports every day. The researchers found that Samba, Telnet (a protocol that allows users to connect to remote computers over a TCP/IP network, such as the internet), and SSH were the three most scanned services, accounting for 36% of scanning traffic globally.

Scanning, per se, doesn’t compromise vulnerable internet-facing applications. This method, however, is used by cybercriminals to identify potential victims.

Cybersecurity Best Practices

Here are some of the cybersecurity best practices to protect your organization’s vulnerable internet-exposed applications:

Keep to a bare minimum the exposure of applications to the internet. If internet-exposed applications aren’t used, disable them.

If there’s a need to expose these applications to the internet, secure them by applying in a timely manner the security updates, by using strong passwords, multi-factor authentication (MFA), and other security measures such as virtual private network (VPN).

In using a Firewall, use the whitelisting approach, rather than the blacklisting approach. In whitelisting, only the approved or whitelisted entities are given access to your organization’s network, blocking all others. Blacklisting, on the other hand, blocks known malicious IP addresses. As shown in the study conducted by Unit 42 researchers, cyberattackers regularly change their IP addresses defeating the purpose of blacklisting.