PDF
Criminals began to scan the Internet for vulnerable Microsoft Exchange Servers within five minutes of the disclosure of critical zero-day flaws patched in early March, researchers report.
In the 2021 Cortex Xpanse Attack Surface Threat Report, Palo Alto Networks researchers examine threat data from 50 organizations, and some 50 million IP addresses, collected in the first quarter. Their analysis reveals attackers scan to inventory vulnerable Internet assets once per hour and even more often within 15 minutes or less following the disclosure of CVEs. When an exploit is published, the time from then until when we start to see follow-on scanning spike in volume is now just minutes, says Tim Junio, senior vice president of products for Cortex at Palo Alto Networks. That is a huge change from a few years ago.
Researchers examine English- and Russian-language underground exploits to track how exploits are advertised and sold.
RSA CONFERENCE 2021 – Microsoft products accounted for 47% of the CVEs that cybercriminals request across underground forums, according to researchers who conducted a yearlong study into the exploit market.
The research spanned more than 600 English and Russian language forums, said Mayra Rosario Fuentes, senior threat researcher at Trend Micro, who presented some of the findings in her RSA Conference talk Tales from the Underground: The Vulnerability Weaponization Lifecycle. Researchers sought to learn which exploits were sold and requested, the types of sellers and buyers involved in transactions, and how their findings compared with their detection systems .
Colonial Pipeline Cyberattack: What Security Pros darkreading.com - get the latest breaking news, showbiz & celebrity photos, sport news & rumours, viral videos and top stories from darkreading.com Daily Mail and Mail on Sunday newspapers.
Putting The Spotlight on DarkSide
Incident responders share insight on the DarkSide ransomware group connected to the recent Colonial Pipeline ransomware attack.
Details continue to emerge about the ransomware attack that hit Colonial Pipeline late last week, forcing the major US pipeline operator to take some systems offline and temporarily halt pipeline operations. The FBI has linked ransomware-as-a-service (RaaS) group DarkSide to the attack.
Related Content:
Colonial Pipeline runs a system spanning 5,500 miles between Houston, Texas, and northern New Jersey, delivering about 45% of the fuel for the East Coast, the company says. In an update published May 12, officials reported they had initiated the restart of pipeline operations and note it will take several days for the product delivery supply chain to return to normal.
This month brought patches for 55 CVEs in Microsoft Windows, Microsoft Office, .NET Core and Visual Studio, Internet Explorer, SharePoint Server, Hyper-V, Skype for Business and Microsoft Lync, Open Source Software, and Exchange Server. Fifty of these vulnerabilities are classified as Important in severity, one as Moderate.
One concerning CVE to prioritize is CVE-2021-31166, a critical remote code execution flaw in the HTTP protocol stack with a CVSS score of 9.8. An attack using this would be low in complexity and require no privileges or user interaction, Microsoft says in its disclosure.
To exploit this, an attacker would need to send a specially crafted packet to a vulnerable server using the HTTP protocol stack to process packets. This makes the bug wormable, a danger Microsoft points out. And as Dustin Childs of Trend Micro s ZDI writes in a blog post, Windows 10 can be configured as a server, meaning it s also affected.