Attackers are taking advantage of the Covid-19 crisis to exploit recent and old vulnerabilities on very diverse digital assets, which are constantly growing.
The changes in working conditions imposed in recent months by the coronavirus pandemic has increased the attack surface of large companies. In many areas, this threat has increased. This is particularly the case for servers accessible directly from the Internet, domain names, websites, web forms, certificates, third-party applications and components, and mobile applications. If some of these conditions do not persist, many changes may well take place over time. Either way, this puts a strain on the ability of existing IT and security teams to manage and secure hot spots.
Security company RiskIQ, which specializes in the discovery and protection of digital assets, has used data recently collected by its Internet scanner technology to assess the current global attack surface. Over a two-week period, the company saw the addition of 2,959,498 new domain names and 772,786,941 new unique hosts to the web.
Almost half of the websites in Alexa’s top 10,000 operated on a known content management platform. However, these platforms are frequently targeted by hackers precisely because of their popularity. The security firm also identified 13,222 WordPress plugins working on these websites. These third-party components are also a common source of vulnerabilities and breaches. When researching known high and critical vulnerabilities, RiskIQ identified that at least one potentially vulnerable component was running on 2,480 of the top 10,000 Alexa domains. In total, the company detected 8,121 potentially vulnerable web components. “If some of these instances will receive fixes and others will benefit from mitigation controls to prevent exploitation of known vulnerabilities and flaws, this will not be the case for all instances,” warned RiskIQ in its report.
The Internet attack surface of large companies
An examination of the Internet assets of companies in the British FTSE 30 stock market index enabled the security company to identify 1,967 domain names, 5,422 live websites, 8,427 hosts, 777,049 web pages. , 3,609 certificates, 76,324 forms, 2,841 WordPress and Drupal sites, 114,504 IP addresses, 45 mail servers, 7,790 applications hosted in the Amazon and Azure cloud, 26 potentially vulnerable Citrix Netscaler instances, 8 Palo instances Alto GlobalProtect potentially vulnerable, 9 Pulse Connect instances potentially vulnerable, 25 Fortinet instances potentially vulnerable and 1,464 instances of remote access services.
On average, each company used 324 expired certificates and 25 certificates using the SHA-1 hash, however obsolete and blocked, 743 potential test sites exposed to the Internet that could pose a risk for data, 385 insecure forms, including 28 used for the authentication, 46 web frameworks affected by known vulnerabilities, 80 PHP 5.x instances having reached their end of life for more than a year, and 664 versions of web servers affected by known vulnerabilities. “While the line between what is inside and outside the firewall is becoming less and less perceptible, today we must consider that the attack surface of a company – all that ‘She has to worry about defending – now includes the inside of the corporate network and extends to the outer limits of the Internet, and even to the homes of employees,’ said RiskIQ in its report. “The depth and extent of the surface to be defended could discourage the security teams. However, looking at the Internet from the point of view of the attacker – a series of digital assets to be exploited in future campaigns – one can put the extent of the company’s attack surface into perspective. “
The indirect attack surface
In addition to having to protect their digital assets on the Internet, companies must also manage threats to their customers and employees, especially since a large number of their employees now work remotely, often with their personal computers, via unsecured home networks. This makes them more vulnerable to phishing campaigns and other online threats, as these machines are outside of corporate firewalls and web security gateways. In the first quarter of 2020, RiskIQ identified 21,496 phishing domains masquerading as 478 unique brands, a third of which were in the financial services sector. In addition, the security firm identified 720,188 domain violation cases related to 170 unique brands.
Malicious mobile applications that steal data also pose a risk to employees who are often directed to them via phishing messages from social media platforms or from malicious advertisements often displayed by other mobile applications. According to RiskIQ, over the past year, around 170,796 mobile applications, even though they were blacklisted, were found in 120 mobile application stores and on the Internet. Over 25,000 of them were available in the Google Play Store. “In a world of digital engagement, users find themselves outside the traditional security perimeter, and an increasing number of corporate digital assets are exposed to malicious actors,” RiskIQ said in its report. “Today, companies must adopt security strategies that take this change into account. Attackers now have many more hotspots to explore or exploit, and these hotspots have little or no surveillance. “