Cloud Patching Can Prevent A Vulnerability From Being Exploited In The Future
There is one vulnerability exploited every 2 hours and attackers can cause significant disruption, downtime, and revenue loss. Before divulging into the cloud patching know-how, it’s imperative to learn about the 10 most routinely exploited vulnerabilities and how they can be prevented using threat intelligence and vulnerability assessment tools.
Top 10 Routinely Exploited Vulnerabilities
ProxyLogon is a vulnerability within the Microsoft Exchange Server that allowed attackers to exploit and expose over 6000 MS Exchange Servers. Attackers gained access to confidential details like email conversations. Attackers were also able to install web shells across 6000 MS exchange servers for further exploitation through an open 443 port.
This would allow data exfiltration, which is the malicious and unauthorized transfer of data from one computer to another. Since the vulnerability exploited was covered under CVE-2021- 26855, 26857, 26858, 26858, and 27065, it allowed attackers to exploit multiple servers without having any access to them.
In September 2020, Tom Tervoort, a researcher at the Secura firm announced the Zerologon flaw. Although Microsoft patches the flaw in August, many servers and businesses continued to remain vulnerable. The concern with the Zerologon flaw was the fact that an attacker who could exploit a vulnerability could also craft a unique RCE (Remote Code Execution). This was done by the incorrect usage of the AES mode of operating,
With this vulnerability exploited in MS servers, an attacker could also take advantage of the root and domain server.
Attackers are actively using this RCE to exploit a vulnerability. This also makes it one of the most dangerous and volatile vulnerability types as it also hackers to gain complete control of servers on the internet. This vulnerability is used by cybercriminals who use it to install Cobalt Strike for exfiltrating data and committing credential theft.
The latest stage to exploit vulnerability was the use of ransomware to steal and sell data. This vulnerability can significantly impact businesses and expose their internal assets and infrastructure.
Often, companies endure significant downtimes and disruptions due to a reactive approach to cloud patching rather than a proactive one. But, this can be avoided by integrating live patching which automatically deploys patches without needing to reboot servers or scheduling any downtime.
VMware vSphere client (CVE-2021-21972)
This RCE vulnerability was discovered in February of 2021 in HTML5, also known as the VMware vSphere client. vSphere can be exploited by attackers as it can be used to gain control and execute commands and privileges. With a severity rate of 9.8, this vulnerability allows the systems to access and extract the infrastructure and business secrets.
This flaw was discovered in Windows servers and has the ability to intercept data and impersonate both, clients, and traffic on a domain. This is done when the domain is forced to authenticate to an NTLM server that is mediated by the attacker. Exploiting this vulnerability occurs when the AD CS – Active Directory Certificate Services lack configuration against NTLM attacks.
Zoho ManageEngine ADSelfService Plus (CVE-2021-40539)
Attackers exploit a vulnerability to grow an enterprise, but this RCE is not difficult to weaponize, either. Since the flaw is present in its default configuration, and once the authentication is bypassed by attackers, it can be used to perform and execute commands, too. This combination is one that is actively sought out by attackers to continue to exploit the vulnerable endpoints of the product or software.
Pulse Secure Pulse Connect Secure (CVE-2019-11510)
This vulnerability significantly affects Pulse Secure VPN appliances wherein an attacker can send a URI that is particularly made to perform commands such as arbitrary file reading. This vulnerability exploited by Russian and Chinese attackers was used to target specific campaigns, some even related to research data about some viruses, like COVID-19.
Although patches for this vulnerability were released for VPN appliances, some compromised credentials still continue to be victims of cyber-attacks and threats.
Fortinet FortiOS and FortiProxy (CVE-2018-13379)
CVE-2018-13379 has been exploited for 4 years. This vulnerability is in the FortiProxy SSL VPN web portal where upon exploitation through HTTP resource requests, any attacker can download the files present in the system. This bug is also used for ransomware and data theft. From information released by the CISA – Cybersecurity, and Infrastructure Security Agency – It is believed that this vulnerability exploited is also used by Russian and Iranian attackers.
Microsoft Exchange Server (CVE-2020-0688)
This RCE vulnerability was first discovered in 2020 in the Microsoft Exchange Server. Attackers can pass arbitrary functions of the web application and run as SYSTEM – The exploitation of this RCE allows the enabling of email collection on specific networks that are targeted by attackers. This vulnerability occurs when the server fails to create unique keys during installation.
Atlassian Confluence Server & Data Center (CVE-2021-26084)
This vulnerability was classified as a critical security threat as it allows the unauthorized user or attacker to execute arbitrary code on a Confluence Server, which is deployed for mass exploitation. The critical nature of this bug is that it doesn’t need a valid system account to conduct mass exploitation – It can be done by any unauthorized user as the public exploitation code exists and is actively used.
Achieving Five-Nines Is Not Difficult
The five-nines (99.999%) mandate is an exceeding factor for organizations to change their approach to patching. This basically signifies that your servers don’t experience downtime of any more than 5 minutes every year, which is a phenomenal benchmark and live patching helps you achieve fine nines with ease.
If you’ve read through this article, you’re now aware of the risk that organizations face each day. While these are 10 routinely exploited vulnerabilities, there is a legion of other risks and vulnerabilities waiting to disrupt your servers that can be frustrating to face and ten folds challenging to tackle.
Fortunately, for threats that target Linux vulnerabilities, TuxCare’s live patching solutions can help. The in-house IT teams analyze and deploy security patches without waiting for a maintenance window or rebooting the entire system.
Get in touch with TuxCare’s cybersecurity experts to streamline risk analysis and vulnerability management of your servers by patching Linux, preserving IT resources, and eliminating downtime.