Top Most Exploited Vulnerabilities in the COVID-19 Era
Year 2020 is a strange year. As a result of the COVID-19 pandemic, many organizations have hastily made a transition from office work to work from home model with little time to put in place the needed cybersecurity measures.
Here are the top most exploited vulnerabilities (in no particular order) based on the alerts issued by the national cybersecurity centers and agencies in multiple countries, including Canada (Canadian Centre for Cyber Security), US (Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation) and UK (National Cyber Security Centre), as well as a report from a computer security company (McAfee Labs):
RDP Vulnerabilities
RDP, which stands for Remote Desktop Protocol, is a proprietary protocol developed by Microsoft for Windows operating systems, allowing one computer to connect to another computer over the internet. According to McAfee Labs, as the COVID-19 pandemic has prompted many organizations to enable their employees to work remotely, many allowed their employees to access internal corporate resources remotely via RDP.
McAfee Labs said that a simple internet search using Shodan – a search engine that allows users to find computers connected to the internet – showed that the number of RDP ports exposed to the internet has grown from roughly three million in January 2020 to more than four and a half million in March 2020.
“A key component of enabling remote work and allowing employees to access internal corporate resources remotely is Remote Desktop Protocol (RDP), which allows communication with a remote system,” McAfee Labs said. “In order to maintain business continuity, it is very likely that many organizations brought systems online quickly with minimal security checks in place, giving attackers the opportunity to enter them with ease.”
Once inside the victims’ networks via RDP, threat actors can do whatever they like such as drop ransomware, drop cryptominer or steal personal data and trade secrets. Among the common ways attackers enter RDP ports are via stolen RDP credentials (username and password combinations) sold in underground online markets; via brute force attack using the trial and error method in guessing the correct username and password combination; and via known RDP security vulnerabilities.
RDP security vulnerabilities CVE-2019-0708 (also known as BlueKeep), CVE-2020-0609 and CVE-2020-0610 allow an unauthenticated attacker to connect to the target network system using RDP and send specially crafted requests. BlueKeep is wormable, which means that it can replicate by itself and spread to other computers within a network. CVE-2020-0609 and CVE-2020-0610, meanwhile, have shown to be wormable at least among RDP Gateway Servers.
VPN Vulnerabilities
The Canadian Centre for Cyber Security, US Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and UK’s National Cyber Security Centre have all warned that security vulnerabilities in the VPN products from Citrix and Pulse Secure are being actively exploited by threat actors.
CVE-2019-19781 is a security vulnerability that allows unauthenticated attackers to perform arbitrary remote code execution on Citrix VPN portals. CVE-2019-11510, meanwhile, is a security vulnerability that allows a remote, unauthenticated actor to view cached plaintext passwords and other sensitive information of Pulse Secure VPN users.
Microsoft Office 365 Configuration Vulnerabilities
Amid the COVID-19 pandemic, many organizations have migrated to Microsoft Office 365 for cloud-based email capabilities as well as chat and video capabilities using Microsoft Teams. In an effort to speed up the migration to Microsoft Office 365, the US Cybersecurity and Infrastructure Security Agency said, organizations may hadn’t fully considered the security configurations of this platform.
Below are some misconfigurations in Microsoft Office 365 that are being actively exploited by threat actors:
– Multi-factor authentication for administrator accounts not enabled by default.
Multi-factor authentication adds an extra layer of security on top of the traditional authentication method: username and password combination. Not enabling multi-factor authentication opens the door to brute force attack – a type of cyberattack that uses the trial and error method in guessing the correct username and password combination. Attackers may either use the smallest number of passwords on the biggest number of accounts possible or use stolen or leaked credentials.
Multi-Factor Authentication not supported by legacy protocols.
Microsoft Office 365 uses Azure AD authentication method to authenticate with Exchange Online – provider of email services. There are currently a number of legacy protocols associated with Exchange Online authentication that don’t support multi-factor authentication. These legacy protocols include Internet Message Access Protocol (IMAP), Post Office Protocol (POP3) and Simple Mail Transport Protocol (SMTP).
Cybersecurity Best Practices
During the COVID-19 era, the following good old cybersecurity best practices protect your organization’s network:
– Keep all software up to date
Microsoft had released patches for the above-mentioned RDP vulnerabilities. Citrix and Pulse Secure, for their part, had issued an applicable patch for the above-mentioned VPN vulnerabilities.
– Enable Multi-Factor Authentication
Multi-factor authentication isn’t a cure-all security measure to ward off attackers. There have been documented cases where attackers were able to bypass multi-factor authentication.
The use of multi-factor authentication, however, wards off attackers who rely on stolen or commonly used username and password combinations in breaking into systems, be it RDP, VPN or Microsoft Office 365.
-Disable legacy protocol authentication
According to Microsoft, more than 99% of password spray attacks (using the smallest number of passwords on the biggest number of accounts possible) use legacy authentication protocols, and more than 97% of credential stuffing attacks (using stolen or leaked credentials) use legacy authentication. Organizations that are ready to block legacy protocols can do so by using Azure AD Conditional Access.
Cybercriminals are more active than ever in exploiting vulnerabilities amid COVID-19 coronavirus pandemic, and small and medium business are their primary targets. Having a skilled IT Support company as your trusted partner since 1983 will protect your business both short and long term and will save you significant dollars. Don’t become the victim of exploited vulnerabilities. Overtake your competitors by calling us today at (416) 920-3000 or email sales@genx.ca