FAILING to overcome the strong mesh of cybersecurity software and protection systems in an internal network, cybercriminals are looking into unattended or forgotten parts of the system including unpatched software, compromised remote protocols, and one-day vulnerabilities to penetrate a system. This according to a report in Securelist.com called the Digital Footprint Intelligence (DFI).
The report covered the external threats is selected countries from the Asia Pacific (APAC) region in 2021, including the six key countries in Southeast Asia (SEA). The findings however, apply to any region where there is a lack of complete system monitoring, especially with legacy systems, despite strong threat monitoring and repelling of attacks.
“Clearly, cybercriminals are busy uncovering possible entry points in the region. From hunting for unpatched software, one-day vulnerabilities, and exploitable remote access and management services, malicious actors have a lot of options to infect lucrative industries. In short, a cyberattack is like a ticking bomb,” Chris Connell, Managing Director for Asia Pacific at Kaspersky said, emphasizing that cyberattacks can be prevented before an attacker is inside the internal network. Threat monitoring allows organizations to take action and properly neutralize a threat before it can exploit any existing vulnerabilities and affect the target institutions. Kaspersky put together the DFI.
Loopholes left mostly by internal programming or software revisions create the one-day vulnerability. Oftentimes, complicated business processes are forced to leave services on the perimeter, which in turn increases the external attack surface. This oftentimes, unprotected practice is exploited by cyber criminals.
Software patches are supposed to control and thwart cyberattacks but also often leave systems vulnerable during a patching process. While internal programming and testing as well as remote operations from hybrid or work-from-home systems developed after the pandemic, may open up doors for infiltration especially in older systems linking to newer Cloud-based operations.
With the help of public sources and specialized search engines, Kaspersky collected and analyzed information on 390,497 services available from public networks to discover and report key security issues and vulnerabilities. In 2021, almost every fifth of the vulnerable services contained more than one ‘opening’, thereby increasing the chances of an attacker performing a successful attack. The report also said that all industry sectors analyzed in all countries have issues with the application of security updates for public services.
In terms of the share of vulnerabilities with publicly available exploits, the three countries out of the top five are Malaysia, Vietnam, and the Philippines.
Not surprisingly, in the region, the government is responsible for a huge percentage of potential incident-generators. In the Philippines, the National Privacy Commission (NPC) on several occasions warned or reprimanded local government units and even bureaus and departments handling personally identifiable information. For example, during the pandemic, various information processors for COVID-19 contact tracing were questioned on the storage and management of personal data. Hospitals too, as providers of critical services are potential victims of either cyberattacks involving personal data breaches or inflitration.
Singapore has a low number of vulnerabilities and an outstanding low ratio between the number of services and the sum of vulnerabilities in them, while Vietnam, Indonesia, Thailand, and Malaysia have the highest ratio among SEA countries.
In the report, Kaspersky experts observed a number of commonly used vulnerabilities dubbed ProxyShell and ProxyLogon. Exploits for these vulnerabilities are easily available on the Internet, therefore, they can be easily exploited by even a low-skilled attacker.
While ProxyShell is quite common in China and in Vietnam, the countries most affected by ProxyLogon are Thailand (in government bodies), China (in financials), the Philippines (healthcare), and Indonesia (industrial).
A great share of attackers’ initial accesses leading to cybersecurity incidents are related to services with remote access or management features. One of the best-known examples is RDP (Remote Desktop Protocol). It is Microsoft’s proprietary protocol that enables a user to connect to another computer through a network of computers running Windows.
Last year, the DFI reported that Kaspersky monitored 16,003 remote access and management services available for exploitation. Indonesia, India, Bangladesh, the Philippines, and Vietnam provide the maximum facilities for an attacker to gain remote access. Again, government institutions are serving more than 40 percent of the attack surface for brute force attacks and credential leak reuse.
“While worrisome, reports such as our Digital Footprint Intelligence can be used as a tool to guide the cybersecurity capacity building of concerned organizations. If you know your weak areas, it’s easier to prioritize,” Connell comments adding that the report’s sole purpose is to create awareness about security threats and demonstrate effective approaches to risk mitigation for widespread attacks with high business impact,” Connell said.
Figure 2. Distribution of vulnerable services with publicly available exploits
RDP is widely used by both system administrators and less-technical users to control servers and other PCs remotely but this tool is also what intruders exploit to penetrate the target computer that usually houses important corporate resources.
From Kaspersky’s practice in incident response handled by Global Emergency Response Team (GERT) and CISA advisory adversaries use a well-known list of vulnerabilities to exploit organization defenses. While researching the security problems of companies from the APAC region,
ProxyShell is a group of vulnerabilities for Microsoft Exchange servers – CVE-2021-31206, CVE-2021-31207 , CVE-2021-34473, and CVE-2021-34523. ProxyLogon group includes CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. The vulnerabilities from the both groups enable an actor to bypass authentication and execute code as a privileged user.
The best defense against these vulnerabilities is to keep public-faced systems updated with the latest patches and product versions. Companies should also avoid direct access to Exchange Server from the Internet. Kaspersky products protect against vulnerabilities from both groups — ProxyShell and Proxy-logon.
To protect your businesses from such threats, Kaspersky experts also recommend that you:
Regulate every major change to the network perimeter hosts, including services or applications launching, exposing new APIs, software installation and updating, network devices configuration and so on. All changes should be reviewed from the perspective of security impact.
Develop and implement reliable procedures for identifying, installing, and verifying patches for products and systems.
Focus your defense strategy on detecting lateral movements and data exfiltration to the internet. Pay special attention to outgoing traffic to detect cybercriminal connections. Backup data regularly. Make sure you can quickly access it in an emergency.
Use solutions like Kaspersky Endpoint Detection and Response and the Kaspersky Managed Detection and Response service, which help to identify and stop the attack in the early stages, before the attackers achieve their goals.
Use a reliable endpoint security solution, such as Kaspersky Endpoint Security for Business (KESB) that is powered by exploit prevention, behavior detection, and a remediation engine that is able to roll back malicious actions. KESB also has self-defense mechanisms that can prevent its removal by cybercriminals.
Read the full Digital Footprint Intelligence report for APAC on Securelist.com.
