The switch to remote working 11 months ago has led to a notable 40% increase in remote desktop protocol (RDP) and secure shell (SSH) exposure volumes, alongside a massive increase in related vulnerability discoveries – notably BlueKeep – according to a report produced by Dublin-based vulnerability management specialists Edgescan.
The sixth annual edition of the firm’s Vulnerability stats report takes an in-depth look at vulnerability metrics from known common vulnerabilities and exposures (CVEs), malware, ransomware, and exposed services on both internal and public-facing systems. Edgescan compiles the data from thousands of security assessments it performs through its Fullstack Vulnerability Management service.
“I am still as passionate as ever in compiling this report and delving into the underlying data. We still see high rates of known (i.e. patchable) vulnerabilities which have working exploits in the wild, used by known nation states and cyber criminal groups. So yes, patching and maintenance are still challenges, demonstrating that it is not trivial to patch production systems,” said Eoin Keary, CEO and founder of Edgescan.
“This report provides a glimpse of a global snapshot across dozens of industry verticals and how to prioritise on what is important, as not all vulnerabilities are equal. This year we call out which threat actors are leveraging discovered vulnerabilities, which should be food for thought,” he added.
The report also revealed a lack of attention being paid to remediating vulnerabilities, with over 65% of those found by Edgescan’s systems in 2020 more than three years old, 32% dating back to 2015 or before, and one – CVE-1999-0517 – which is now old enough to drink.
The most widespread critical risk CVE found last year was CVE-2018-0598, an untrusted search path vulnerability in self-extracting archive files created by IExpress bundled with Microsoft Windows, that left unpatched, enables an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.
Alongside a number of other CVEs, all of them rated medium, high or critical risks, BlueKeep is particularly notable because of its utility in introducing malware or ransomware into target systems.
Indeed, BlueKeep accounted for just under 30% of all malware-related CVE detections by Edgescan, followed closely by CVE-2017-0143 – EternalSynegy and EternalBlue – which accounted for 26.5%, and CVE-2017-5638, which accounted for 13.2%.
Edgescan said it was important when looking at malware-related CVEs that many of them are located on non-internet facing systems, which he said resulted from a cultural trend not to focus on internal vulnerabilities. This trend increases the risk of ransomware and data theft following targeted spear-phishing or social engineering attacks.
Despite the prevalence of vulnerability-related problems – more of which are highlighted in-depth in the report – there were also some positive trends that emerged. For example, the number of analysed systems with more than 10 CVEs (both internal and public-facing) has plummeted from 15% in 2019 to just 4% in 2020, reflecting system upgrades, and improved patching hygiene and maintenance thanks to growth in continuous asset profiling services.
Edgescan’s full study – data from which has been used in the past in a number of other high-profile reports including the OWASP Top 10 and Verizon’s Data Breach Investigations Report (DBIR) – can be downloaded here.