Digital Forensics & Incident Response Consultant at ParaFlare.
13 November, 2020
6 min read.
Patching is an integral component of any cyber security strategy. It provides an additional layer of defence from adversaries seeking to exploit and gain access to your network. What we have seen in 2020 is the proliferation of vulnerabilities in network appliances, VPN’s, and other such infrastructure that we rely on during this mass work from home period. Thus, patching remains to be a solid preventative control used to thwart attackers from carrying out their objectives.
The Australian Cyber Security Centre (ACSC) have recommended patching for many years in their Essential Eight and the Information Security Manual. Patching is the process whereby vulnerabilities, that were either internally discovered or disclosed to an organisation, then produce a fix or an update in their software to mitigate that vulnerability being exploited. This is not limited to networking appliances; patches can be made available to any of the following:
- Web browsers (Google Chrome, Mozilla Firefox, Internet Explorer)
- Application software (Microsoft Office, Adobe Acrobat, Flash, Java, VMware Workstation)
- System utilities (Anti-Virus, CCleaner, AutoIT, TeamViewer, Ansible/Puppet etc.)
- Operating system level patches for Microsoft Windows, Linux, MacOS.
For the past 2 years, ParaFlare have been contributing to Verizon’s Data Breach Investigations Report (DBIR). According to the DBIR 2019 report, more than half of the incidents that were analysed involved hacking, with the third most prevalent type of hacking being ‘vulnerability exploitation’. The numbers below, based on 2020 data, demonstrate the percentage of vulnerabilities that are patched within the first quarter of it being released by the manufacturer:
|Mining and Utilities||81%|
It is clear from just this small sample of results that security incidents occur for two reasons: an organisation does not patch products quickly enough, or they do not patch certain devices at all. For the mining and utility industry, it should be taken into consideration that there is widespread use of legacy systems that cannot be patched; this is a separate issue, but important to note as legacy systems are repeatedly targeted as they are unsupported.
Think of your sophisticated cyber threat actor as a bank robber. The smart ones do their research first before storming a bank. They will set up reconnaissance, look for security cameras and guards, note down staff movements, and get a general lay of the land. Well in cyberspace, the adversary will even choose to strike once a patch has been released. They assume that organisations will be slow to patch, or not patch at all. Adversaries research and become alerted of vulnerabilities once they are disclosed, and the sophisticated ones will often start researching that vulnerability and weaponise it. The reconnaissance phase now starts, just as with a bank robbery, as they determine who is vulnerable to their new exploit, and what they will be able to achieve by targeting them for an attack.
Now that we have set the scene, let us jump into an analysis on breaches that were disclosed after a patch was released for a vulnerability. These are just some of the few case studies we can use to understand why patching still matters.
|Vulnerability||Publicly Disclosed||Patch Released||Notable Breaches|
|CVE-2017-5638; Apache Struts 2||06/10/2017||10/10/2017||Chinese state military (PLA 54th Research Institute) exploited this breach and remained in a large financial firms’ network from May – July 2017. This led to the theft of customer PII and the loss of US$1.4 billion|
|CVE-2018-7600 & 7602; Drupalgeddon & Drupalgeddon 2||28/03/2018||25/04/2018||The Drupalgeddon vulnerability was used to deploy cryptocurrency miners across multiple victims globally, including local US governments|
|CVE-2019-11510; Pulse Connect Secure VPN||28/03/2018||25/04/2018||After exploiting this vulnerability, the REvil group would gain access and extort large organisations, before deploying Sodinokibi|
|CVE-2019-19781; Citrix Netscaler||17/12/2019||19/01/2020||Following successful exploitation, adversaries deployed Sodinokibi ransomware to target corporations, including automotive companies|
|CVE-2020-8515; DrayTek Vigor Routers||25/12/2019||06/02/2020||Adversaries exploited this DrayTek router vulnerability before a patch was released. Unknown threat groups were installing web and SSH backdoors to maintain persistence|
|CVE-2020-5902; F5 BIG-IP devices||30/06/2020||30/06/2020||Multiple corporate organisations were hit by this vulnerability exploitation; after this, attackers installed cryptocurrency miners and IoT malware, and obtained admin credentials|
|CVE-2020-15505; MobileIron devices||07/07/2020||15/07/2020||Nation-state and organised crime groups are exploiting this vulnerability after the patch was released, targeting government and healthcare|
|CVE-2020-1472; Zerologon (Netlogon)||11/08/2020||11/08/2020||China’s APT10 is believed to be using this vulnerability to target automotive and industrial based companies, including those in Japan|
|CVE2-2020-4006; VMware Products||23/11/2020||03/12/2020||Russian nation-state actors are using this vulnerability to hijack authentication tokens and access sensitive data. Workarounds were provided by VMware upon disclosure, with a full patch being released in December 2020|
The motivations behind these attacks are wide-reaching and various, yet they have severe consequences.
As one in three cyber security incidents involve the exploitation of vulnerabilities, it is crucial for a vulnerability management process to be well-structured and understood by all relevant stakeholders.
ParaFlare recommends the following steps in ensuring that this can be achieved by your organisation:
- First and foremost, confirm that you have identified all devices and assets. For each asset, prioritise the risk to the business, and know who the owner is as they will be the person/team to roll out new patches. ParaFlare recommends having a Configuration Management Database (CMDB) in place that lists all hardware and software components within the network, detect new devices, and includes versioning and patch numbers.
- Most vendors maintain a security advisory or bulletin to update customers on newly discovered vulnerabilities and patch updates. It is critical to subscribe to these advisories and initiate a response if a vulnerability is relevant to your environment. An example can be found on Cisco’s website.
- Assess each vulnerability according to their likelihood and impact if successfully exploited. Validate whether the vulnerability can be exploited in terms of how it has been implemented in your organisation.
- Deploy a vulnerability scanning solution in your environment and run the scan regularly to identify new devices and new vulnerabilities.
If a patch has been released for a vulnerability that your organisation is vulnerable to, the following timeframes for deploying the patch is recommended by industry best practices:
- Extreme risk: within 48 hours of a patch being released
- High risk: within two weeks of a patch being released
- Moderate or low risk: within one month of a patch being released.
Finally, it would be amiss to not mention supply chain attacks. These types of incidents occur when an adversary compromises the supply chain network of an organisation it wants to infiltrate. We saw this happen when a Ukrainian tax filing software called MEDoc was compromised, leading to the prolific spread of NotPetya ransomware. APT10, otherwise known as China’s ’Cloud Hopper’, targeted managed service providers as a means to gain access to their customers. More recently, SolarWinds, who provide IT management and monitoring software, had their software update trojanised to install a backdoor for the adversaries. Vendors involved in these types of incidents promptly release patches or workarounds soon after the disclosure, to prevent any other organisations falling victim to it.
Security incidents, whether they are a targeted occurrence or part of indirect campaigns such as supply chain attacks, can be mitigated via patching. Patching and overall vulnerability management still matter in the continuous battle against vulnerability exploitation. Whilst not all security incidents can be thwarted by patching, it is an important preventative measure as part of a larger security program for any organisation.
Have a comment? Join the conversation on LinkedIn