Software vulnerabilities are gifts that keep on giving. Even a few years after vulnerabilities are discovered, the number of systems that are still open to the internet while vulnerable to known defects is alarming
Recently, Barracuda researchers analyzed the data from the attacks blocked by Barracuda systems over the past two months and found hundreds of thousands of automated scans and attacks per day, with those numbers sometimes spiking into the millions, and as well as thousands of scans per day for the recently patched Microsoft and VMware vulnerabilities.
Here’s a closer look at the attack patterns our researchers uncovered, and steps you can take to help protect against these types of attacks.
Unpatched software vulnerabilities — The Microsoft vulnerability a.k.a. Hafnium was first disclosed in March 2021. CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange, which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server. From the information publicly available, CVE-2021-26855 is used to identify vulnerable systems, and the remaining vulnerabilities seem to be chained with this vulnerability to gain access and perform further exploitation, including dropping web shells into the exploited systems.
In March, we saw increased probing for the vulnerabilities, and we continue to see regular scans for these vulnerabilities across our sensors and deployments worldwide. The probing increases from time to time and then drops off to lower levels.
In the case of VMware, they released CVE-2021- 21972 and CVE-2021-21973 on February 24, 2021. We’ve been seeing regular probing for CVE-2021-21972 regularly as well, with some downturn in the scanning. That said, we expect to see some uptick in these scans from time to time as attackers cycle through the list of known high-impact vulnerabilities.
These two data points show that software vulnerabilities, especially hard-hitting ones, continue being scanned for and exploited for quite some time after the release of patches and mitigations. Attackers understand that defenders don’t always have the time or bandwidth to keep up with patches all the time, and things slide—providing them with an easy way into the network.
While analyzing attacks, we also identified patterns of attack. Earlier we saw that bots follow the course of a workday to perform their attacks, and now we also see the pattern that the workweek is the same whether you are an attacker or a defender. Both these insights show that most attackers seem to take the weekend off, even when running automated tasks. This is likely because it is easier to hide in the crowd when attempting various activities rather than setting off alarms by going after less used systems on weekends.
We also looked at how the attacks mapped to common attack types. These attack types include attempts at reconnaissance/fuzzing, and attacks against application vulnerabilities (WordPress was the most popular.) Typically, we’d expect to see a lot of SQL injection attacks, followed by command injection attacks and then any other type of attack. However, this time, command injection was by far the leader – and we saw a lot of attempts to inject commands against Windows. These attacks peaked over two weeks in June and then went back down to the normal traffic levels. The remaining attacks were at more or less the expected levels, with no specific attack patterns to be called out in the different categories.
Finally, we analyzed the levels of HTTPS traffic and the versions of the protocols used. It is very important to enable HTTPS and ensure that the configuration is updated to use the latest protocols. On our worldwide deployments of Barracuda WAF-as-a-Service, we make it easy to turn on both HTTPS (with Lets Encrypt integration,) and easy to configure secure protocols and services.
When it came to traffic from the worldwide deployments, we saw that the latest TLS1.3 is the clear leader, followed by TLS1.2. This is good news, given that these are the most secure protocols. We do see some deployments still using plain HTTP, but the most interesting part is that plain HTTP traffic is higher in volume than the older and insecure SSL/TLS protocols.
How to protect against attacks on software vulnerabilities
When it comes to protecting against automated attacks looking to take advantage of known software vulnerabilities, defenders can be overwhelmed at times due to the number of solutions required. The good news is that these solutions are consolidating into WAF/WAF-as-a-Service solutions, also known as Web Application and API Protection services (WAAP).
As Gartner has stated in the 2020 WAF Magic Quadrant:
“Gartner defines WAAP services as the evolution of cloud WAF services. WAAP services combine cloud-delivered, as-a-service deployment of WAF, bot mitigation, DDoS protection and API security, with a subscription model.”
Organizations should look for a WAF-as-a-Service or WAAP solution that includes bot mitigation, DDoS protection, API security, and credential stuffing protection — and make sure it is properly configured.