Exchange Server Attackers Launched Scans Within Five Minutes of Disclosure

Threat actors are “winning the race” to find vulnerable assets to exploit, launching scans within minutes of CVE announcements, a leading security vendor has warned.

The 2021 Cortex Xpanse Attack Surface Threat Report from Palo Alto Networks was compiled from scans of 50 million IP addresses associated with 50 global enterprises, carried out January-March 2021.

The report revealed that as soon as new vulnerabilities are announced by vendors, attackers rush to take advantage, utilizing cheap cloud computing power to back their efforts.

“Scans began within 15 minutes after CVE announcements were released between January and March. Attackers worked faster for the Microsoft Exchange Server zero-days, launching scans within five minutes of Microsoft’s March 2 announcement,” the report noted.

“On a typical day, attackers conducted a new scan once every hour, whereas global enterprises can take weeks.”

Remote Desktop Protocol (RDP) servers accounted for the largest number of security issues (32%), although in this case, attackers aren’t scanning for software vulnerabilities but endpoints that can have their credentials brute-forced or cracked. It’s an increasingly popular initial access vector for ransomware attackers.

Also heavily targeted were misconfigured database servers, exposure to high-profile zero-day vulnerabilities from vendors like Microsoft and F5, and insecure remote access through Telnet, Simple Network Management Protocol (SNMP), Virtual Network Computing (VNC), and other protocols.

However, it was cloud systems that comprised the largest number of critical security issues (79%), according to the report.

Travis Biehn, principal security consultant at Synopsys Software Integrity Group, argued that organizations must minimize their exposure footprint and take zero trust approaches to remote worker security, in order to tilt the balance in their favor.

“The most sophisticated attackers — those who have clear objectives and targets known far in advance — map the corporate network footprint across private data centers and cloud in advance,” he warned.

“They also have automation and infrastructure ready to take advantage of new vulnerabilities before defenses can kick in.”

What’s Hot on Infosecurity Magazine?