New Cyberthreats from Old Vulnerabilities

Author Avatar

by

Posted on April 18, 2023

Want to interview Gerry?

Contact

Cybersecurity experts spend a lot of energy and effort trying to counter the latest threats and exploits, including zero-day vulnerabilities – newly discovered software flaws that have not yet been patched.

But cybersecurity specialists and IT professionals who are responsible for cybersecurity functions in smaller organizations cannot assume that attending to the most recently identified vulnerabilities will keep their organizations safe. They must also make sure that their networks and data are secured against attacks via old vulnerabilities.

New Vulnerabilities, Old Vulnerabilities

Newly identified software vulnerabilities are a danger to everyone, because until a patch is prepared and available, everyone who uses that software is at risk. And since the window between zero-day disclosure and the point at which exploits are available in the wild is shrinking, from an average of 37 days three years ago to just 14 days today, according to Microsoft, the pressure to apply patches quickly has increased. Staying up-to-date on the latest vulnerabilities by subscribing to email updates from the US Cybersecurity and Infrastructure Security Agency (CISA) and monitoring their social media channel is essential.

While most professionals are very aware of the dangers posed by new vulnerabilities, a good deal less attention is focused on old vulnerabilities. Yet as a recent report makes clear, old vulnerabilities are a much greater threat. The report states that 76% of ransomware vulnerabilities being exploited were discovered before 2019, with some going all the way back to 2010.

New Ransomware Attacks and Old Vulnerabilities

Cybercriminals know that plugging every possible entry point into a company’s software is difficult – maybe impossible. This may be due to an organization’s insufficient diligence in applying patches as soon as they become available or because out-of-support legacy software remains in use, despite the fact that patches to address vulnerabilities are no longer issued. And sometimes it’s because, unknown to IT, users leverage unauthorized – and vulnerable – “shadow IT”.

Many cybersecurity professionals scan their organization’s software with tools designed to identify software vulnerabilities. While scanning is important, scanners may not reliably detect all vulnerabilities. In fact, out of the 20 vulnerabilities that scanners are known to miss, 18 were first discovered prior to 2019.

The report found that out of 264 old vulnerabilities, 208 have known exploits. 131 of these old vulnerabilities with known exploits have Remote Code Execution/Privilege Escalation capabilities which make them especially dangerous. It is no surprise then, that 119 of these are actively trending on the dark web as cybercriminals seek avenues into corporate IT assets.

The old vulnerabilities most associated with the latest ransomware attacks come from leading vendors such as Microsoft, Red Hat, Novell, and Gentoo. Microsoft Windows in particular has the largest number of old vulnerabilities that are associated with new ransomware attacks.

The Dangers of Opt-In

Sometimes, installing the latest software patches and updates alone is not enough. A recent attack on VoIP telecom company 3CX shows the dangers of “opt-in” security fixes, as covered in Supply Chain Attack Against 3CXDesktopApp, a new CISA alert that provides information as well as relevant links.

In the attacks, 3CX’s voice and video conferencing app was infected with a trojan, potentially enabling multi-stage cyberattacks on app users.

Cybercriminals got into the app by exploiting a ten-year-old vulnerability in Microsoft Windows, CVE-2013-3900. The vulnerability makes it possible for an attacker to modify an existing signed file to insert malicious code without invalidating the signature that would flag the file as having been modified, and therefore potentially dangerous.

Microsoft issued a fix back in 2013, but made it optional. To apply the fix, users must edit an entry in the Windows Registry. It is presumed that Microsoft chose to make the fix optional because it could potentially also invalidate legitimate signed executables, causing headaches for some customers.

While the “optional” classification may have convinced some professionals not to apply the fix, even organizations that did apply it may not be protected. Many IT and cybersecurity professionals may not realize that if the fix was applied on Windows 10, it would be erased when the organization upgraded to Windows 11, and the change in the registry file would therefore need to be re-applied. IT managers who didn’t notice that may have thought they fixed the problem by editing the registry, only to be exposed again after upgrading to Windows 11.

Protecting Against Vulnerabilities and Exploits, New and Old

Several steps can help organizations safeguard against the software vulnerabilities that leave them exposed to ransomware attacks.

  • Apply security patches and software updates as soon as they become available.
  • Pay attention to “opt-in” security fixes.
  • Read the small print on security updates.
  • Deploy Zero Trust web security using Remote Browser Isolation.
  • Deploy Zero Trust application access security using a clientless ZTNA approach called Web Application Isolation (WAI).

While it’s certainly critical to keep up to date on security patching and upgrades, it is also likely that some vulnerabilities will be missed. It could be a brand new zero-day exploit, or it could be an old vulnerability that was overlooked, such as what likely happened with 3CX.

WAI protects vulnerable, unpatched apps from exploits that get past other defenses, like WAFs. App surfaces are cloaked from the view of malicious actors, so vulnerabilities that may be present cannot be seen. RBI blocks exploits from being delivered via the web, emails, or downloaded files. Together, along with additional ZTEdge Security Service Edge (SSE) capabilities, they add a vital extra layer of protection for potentially vulnerable apps.

Conclusion

A comprehensive Zero Trust based approach is the best way to protect your IT assets from the latest vulnerabilities and exploits as well as from other types of cyberattacks such as phishing, brute force attacks, or social engineering. Contact us today to learn more.

Share this on:
Author Avatar

About Gerry Grealish

Gerry Grealish, ZTEdge CMO, is a security industry veteran, bringing over 20 years of marketing and product experience in cybersecurity, cloud, analytics, and related technologies. Responsible for marketing and business development, Gerry previously was at Symantec, where he led the product marketing and go-to-market activities for the company’s broad Network Security portfolio. Prior to Symantec, Gerry was at Blue Coat, which he joined as part of Blue Coat’s acquisition of venture-backed Cloud Access Security Broker (CASB) innovator, Perspecsys, where he was Chief Marketing Officer.

Recent Posts

Air Gapping Your Way to Cyber Safety

Physically air gapping enterprise networks from the web is a great way to protect operations, keep data safe … and squelch productivity. Virtual air gapping is a better approach.

Motion Picture Association Updates Cybersecurity Best Practices

The MPA recently revised its content security best practices to address, among other challenges, the issue of data protection in the cloud computing age.

FTC Issues Cybersecurity Warning for QR Codes

QR codes on ads are a simple way to grab potential customers before they move on. No wonder cybercriminals are using QR codes, too.

More Posts

Copyright© Ericom Software Cloud Security Platform. All rights reserved.