Patching is an integral component of any cyber security strategy. It provides an additional layer of defence from adversaries seeking to exploit and gain access to your network by minimising potential attack vectors caused by security vulnerabilities. In 2020, we observed the proliferation of vulnerabilities in network appliances, VPNs, and other related infrastructure that we have relied on during this mass work from home period. Thus, patching remains a solid preventative control to thwart attackers from achieving their objectives.
The Australian Cyber Security Centre (ACSC) have recommended patching for many years in their Essential Eight1 and Information Security Manual2. Patching is the process of remediating security vulnerabilities that exist in applications, operating systems, drivers, and device firmware by installing patches (updates) or replacing/upgrading vulnerable software or firmware versions.
While many recent, high profile breaches have been caused by the exploitation of unpatched security vulnerabilities in networking appliances, operating systems and applications have consistently featured in lists of the top vulnerabilities exploited by adversaries. Consequently, a range of assets should be considered as part of a patch management plan. This includes, but is not limited to:
- Web browsers such as Google Chrome, Mozilla Firefox, Internet Explorer
- Application software such as Microsoft Office, Adobe Acrobat, Flash, Java, VMware Workstation
- System utilities such as Anti-Virus, CCleaner, AutoIT, TeamViewer, Ansible/Puppet
- Operating system level patches for Microsoft Windows, Linux, MacOS, etc.
- Server applications such as IIS, Apache Struts, Drupal, SharePoint, Exchange, Telerik, Mobile Device Management Systems
THE STATE OF VULNERABILITY PATCHING
ParaFlare have been contributing to Verizon’s Data Breach Investigations Report (DBIR) for the past two years. The DBIR provides data driven insights into the perpetrators, victims, and causes of cyber security incidents and confirmed data breaches. According to the DBIR 2020 report, more than half of the incidents that were analysed in the twelve months to October 31, 2019 involved hacking, with the third most prevalent type of hacking being vulnerability exploitation. The first and second most prevalent types of hacking were denial of service and stolen credentials, respectively.
Statistics in the DBIR 2020 report show that on average 57% of vulnerabilities are patched by organisations within three months of the vulnerability’s disclosure. The report also demonstrates that there are significant differences in the patching rate between industries, as shown in the table below.
| Industry | Percentage |
|---|---|
| Information | 89% |
| Mining and Utilities | 81% |
| Professional Services | 67% |
| Retail | 49% |
It is clear that security incidents involving vulnerability exploitation occur for two reasons: an organisation does not patch vulnerabilities quickly enough, or they do not patch them at all. The longer vulnerabilities go unpatched, the greater the likelihood they will never be patched. This is often due to an organisation having poor visibility of ICT assets and associated vulnerabilities in their environment.
In some circumstances, there may be operational factors that result in the organisation’s decision not to patch. This includes compatibility issues with legacy hardware or software and the prioritisation of system availability over security. This is a separate issue, but important to note as legacy systems are repeatedly targeted due to the increased likelihood of successful compromise via vulnerability exploitation.
WHY PATCHING MATTERS
Vulnerabilities are exploited by both sophisticated and non-sophisticated threat actors. Well documented vulnerabilities are often targeted by researchers and malware writers as soon as information becomes available. When a proof of concept for a vulnerability exploit is first released, it is done so publicly, meaning any type of threat actor can simply download it and use it against a target.
Depending on the adversary, there are the opportunistic hackers who engage in a ‘spray and pray’ approach. The threat actor will use publicly available tools, such as Shodan, to discover potentially vulnerable devices all over the world. They will on-masse, try to exploit these devices, hoping that one will give them the access they are looking for. The assumption being made is that organisations have not patched the vulnerability, yet the threat actor already has access to a working exploit.
More sophisticated threat actor groups will become alerted to a vulnerability or identify one themselves and start developing a way to weaponise it. The reconnaissance phase starts now, to determine who from their list of targets are vulnerable to the working exploit.
Many high-profile cyber security breaches involving vulnerability exploitation have occurred after a patch was released. The following table contains just some of many case studies we can use to understand why patching still matters.
| Vulnerability | Publicly Disclosed | Patch Released | Notable Breaches |
| CVE-2017-5638; Apache Struts 2 | 06/03/2017 | 06/03/2017 | Chinese state military (PLA 54th Research Institute) exploited this breach and remained in a large financial firms’ network from May – July 2017. This led to the theft of customer PII and the loss of US$1.4 billion3 |
| CVE-2018-7600 & 7602; Drupalgeddon and Drupalgeddon 2 | 28/03/2018 and 25/04/2018 | 25/04/2018 and 25/04/2018 | The Drupalgeddon vulnerability was used to deploy cryptocurrency miners across multiple victims globally, including local US governments4 |
| CVE-2019-11510; Pulse Connect Secure VPN | 24/04/2019 | 24/04/2019 | After exploiting this vulnerability, the REvil group would gain access and extort large organisations, before deploying Sodinokibi5 |
| CVE-2019-19781; Citrix Netscaler | 17/12/2019 | 19/01/2020 | Following successful exploitation, adversaries deployed Sodinokibi ransomware to target corporations, including automotive companies6 |
| CVE-2020-8515; DrayTek Vigor Routers | 01/02/2020 | 06/02/2020 | Adversaries exploited this DrayTek router vulnerability before a patch was released. Unknown threat groups were installing web and SSH backdoors to maintain persistence7 |
| CVE-2020-5902; F5 BIG-IP devices | 30/06/2020 | 30/06/2020 | Multiple corporate organisations were hit by this vulnerability exploitation; after this, attackers installed cryptocurrency miners and IoT malware, and obtained admin credentials8 |
| CVE-2020-15505; MobileIron devices | 01/07/2020 | 15/06/2020 | Nation-state and organised crime groups are exploiting this vulnerability after the patch was released, targeting government and healthcare9 |
| CVE-2020-1472; Zerologon (Netlogon) | 11/08/2020 | 11/08/2020 | China’s APT10 is believed to be using this vulnerability to target automotive and industrial based companies, including those in Japan10 |
| Microsoft Exchange Server Vulnerabilities | 02/03/2021 | 02/03/2021 | Threat actors have taken advantage11 of organisation’s slowness to patch these vulnerabilities. |
The motivations behind these attacks are wide-reaching and various, yet they have severe consequences.
As a non-negligible number of cybersecurity incidents involve the exploitation of vulnerabilities, it is crucial for a vulnerability management process to be well-structured and understood by all relevant stakeholders.
RECOMMENDATIONS
ParaFlare recommends the following steps in ensuring that this can be achieved by your organisation:
- First and foremost, confirm that you have identified all devices and assets. For each asset, prioritise the risk to the business, and know who the owner is. ParaFlare recommends having a Configuration Management Database (CMDB) in place that lists all hardware and software components within the network, including details such as versioning and patch numbers. Changes or additions to hardware and software components should be identified and updated in the CMDB regularly.
- Ensure there is a clear process for vulnerability and patch management; including roles and responsibilities of various stakeholders as defined by your organisation.
- Most vendors maintain a security advisory or bulletin to update customers on newly discovered vulnerabilities and patch updates. It is critical to subscribe to these advisories and initiate a response if a vulnerability is relevant to your environment. An example can be found on Cisco’s website. There are also free and paid solutions that enable you to bulk subscribe to vulnerability notifications relevant to your organisation.
- Assess each vulnerability according to their likelihood and impact if successfully exploited. Validate whether the vulnerability can be exploited in terms of how it has been implemented in your organisation.
- Deploy a vulnerability scanning solution in your environment and run the scan regularly to identify new devices and new vulnerabilities.
If a patch has been released for a vulnerability that your organisation is vulnerable to, the following timeframes for deploying the patch is recommended by industry best practices12:
- Extreme risk: within 48 hours of a patch being released
- High risk: within two weeks of a patch being released
- Moderate or low risk: within one month of a patch being released.
Many security incidents, whether they are targeted or opportunistic attacks, can be mitigated via patching. Patching and overall vulnerability management still matter in the continuous battle against cyber threats. Whilst not all security incidents can be thwarted by patching, it is an important preventative measure as part of a larger security program for any organisation.
- 1 https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-explained
- 2 https://www.cyber.gov.au/acsc/view-all-content/guidance/system-patching
- 3 https://www.usatoday.com/story/news/politics/2020/02/10/doj-chinese-army-hacked-equifax-stole-145-million-americans-data/4711796002/
- 4 https://blog.malwarebytes.com/threat-analysis/2018/05/look-drupalgeddon-client-side-attacks/
- 5 https://www.zdnet.com/article/vpn-warning-revil-ransomware-targets-unpatched-pulse-secure-vpn-servers/
- 6 https://www.zdnet.com/article/hackers-target-unpatched-citrix-servers-to-deploy-ransomware/
- 7 https://thehackernews.com/2020/03/draytek-network-hacking.html
- 8 https://www.helpnetsecurity.com/2020/07/06/exploit-cve-2020-5902/
- 9 https://www.zdnet.com/article/this-software-flaw-is-being-used-to-break-into-networks-now-so-update-fast/
- 10 https://www.bankinfosecurity.com/chinese-hackers-exploiting-zerologon-flaw-for-cyberespionage-a-15406
- 11 https://www.zdnet.com/article/microsoft-exchange-server-hacks-doubling-every-two-hours/
- 12 https://www.cyber.gov.au/acsc/view-all-content/publications/assessing-security-vulnerabilities-and-applying-patches