Understanding common internet-facing footholds

Internet-facing footholds present a real risk, Dan Vasile, VP of Strategic Cyber Advisory at BlueVoyant, shares his views on the topic.

Ransomware remains a persistent threat with real-world consequences, with the ability to halt business operations, and cause significant reputational and financial damage, writes Dan Vasile.

Ransomware incidents have gained the attention of the general public with attacks like the Colonial Pipeline that led to fuel shortages, and WannaCry that led to British hospitals diverting patients. Despite an increased level of awareness at the board level, ransomware attacks continue to plague organisations.

One reason why the threat of malware in general is so hard to eradicate is that cyber criminals find new pathways to deliver malicious code. An organisation’s digital supply chain is a prominent example of these newer attack vectors, leveraging the vendors, suppliers, and other third-parties with network access as footholds. As organisations’ own internal networks become more secure, a third-party may have weaker security and thus provide an easier attack vector for cyber criminals. If compromised, the attackers can spread to connected networks, leaving behind malware to enable a ransomware attack.

Even if an organisation isn’t ransomed itself, having a critical supplier facing an attack can hurt business operations.

RDP is a primary vector for ransomware

Another common attack vector is Remote Desktop Protocol (RDP), which was exploited in the aforementioned WannaCry attack. Given the rise of remote and hybrid work, more organisations are looking for external remote access for employees but may not always consider all the security risks of their setup as robustly as they should.

RDP is the proprietary protocol that allows a user on one computer to connect to and control a remote computer and is commonly used by admins to fix issues on a remote system. In recent years it has become popular in cloud computing to assess and/or manage virtual machines. Unfortunately, it is very easy to expose RDP unintentionally by leaving the RDP port open to the internet, including on a forgotten system, cloud instance, or network segment. The protocol is easily detectable and a brute force attack can be launched even by unskilled attackers.

Recently, according to BlueVoyant’s threat intelligence analysis, threat actors have more frequently probed for open RDP ports as an easy-access attack vector.

It is therefore an almost foregone conclusion that RDP will be targeted sooner rather than later if left open on a network. In fact, open port and vulnerability scanning continue to be key footholds for cybercriminals, both within the organisation and the vendor ecosystem. Open ports are being probed almost instantly after being exposed to the Internet and continuously by multiple actors.

According to CISA, in 2021, RDP was one of the top-three initial attack vectors for ransomware events, often involving either brute force or stolen credentials for access. Analysing a sample of 15,000 companies throughout 2022, we found that one fifth of the vulnerabilities within their ecosystem were RDP-related. Whilst attackers need credentials to bypass the authentication of RDP weak passwords, poor operational security and increasingly effective harvesting campaigns make the acquisition of these credentials easier than it should be.

The race to patch

Zero-day vulnerabilities or emerging vulnerabilities (EVs) are another common foothold that bad actors utilise and are one of the most notable threats to organisations due to their unforeseen and time-sensitive nature. These new vulnerabilities are disclosed every week and companies across the world need to be constantly vigilant over which can affect them.

One of the major challenges in reducing risk in an extended ecosystem is ensuring that all organisations and their suppliers do not have open, unpatched instances of vulnerable software, especially when considering that the average time for a newly disclosed Zero-day vulnerability to be compromised is two weeks or less. When an EV is disclosed publicly, a race starts between attackers who are actively searching for this foothold in organisations, and IT teams trying to patch the vulnerable systems. Yet the patching rate of EVs remains remarkably low, months after disclosure.

For example, vendor Atlassian announced on 3rd June 2022 that it had been made aware of an active vulnerability in its Confluence Data Centre and Server software. Only 30% of vulnerable organisations patched within the first 10 days, which meant that 70% remained exposed beyond the average time to exploitation, representing a major risk for these organisations, according to BlueVoyant’s threat intelligence.

Implementing preventative measures

What measures should organisations adopt to prevent the preventable?

To help mitigate the risk of ransomware attacks, organisations need to consider the security of their supply chain. They should know which vendors, suppliers, and other third-parties have network access and which are critical to business continuity. Organisations should then continuously monitor their supply chain so that if any signs of or compromise occurs, they can quickly work with third parties to remediate the issue.

When it comes to RDP, organisations need to be aware of the risks. Most importantly, ports should always be closed unless there is a valid business reason for them to be open. Any remote access should be regularly audited by security teams to ensure nothing is unnecessarily left open. For necessary access, organisations should require the use of VPN, multi-factor authentication, and limit login attempts.

And finally, organisations should patch or implement alternative risk mitigation strategies for all critical vulnerabilities as soon as possible, within the average time to exploitation (around two weeks or less) and encourage vendors to do the same. Supply chain risk management best practices, monitoring internal services and technologies and making thoughtful decisions on what data to share are all critical to ensuring that you can prevent the preventable and reduce the organisation’s risk exposure.


Featured Articles

UK police cyberattack a reminder of third party risk

Cyber criminals use back-door suppliers cyberattack to spread alarm through Britain's biggest police force

Building Cyber Resilience into ‘OT in Manufacturing’ webinar

Join Acronis' webinar, Building Cyber Resilience into ‘OT in Manufacturing’, 21st September 2023

Trustwave report on hospitality industry security threats

Nearly 31% of hospitality organisations have reported a data breach in their company’s history, according to a Trustwave cybersecurity report

Barracuda Managed XDR uses AI to uncover cyber incidents

Technology & AI

Imperva: 32% of work data breaches could have been avoided

Operational Security

Supply chain cyberattacks seen as catastrophic for business

Cyber Security