Time to patch: Vulnerabilities exploited in under five minutes?
Once upon a time, there was the zero-day vulnerability. Then came zero-hour vulnerabilities; now, the time to attack is shrinking, and exploits to vulnerable systems happen in minutes, not days. When Microsoft announced a zero-day vulnerability was in the Exchange Server, it only took five minutes before the Hafnium hacking group began its scan for vulnerabilities.
As the timeframe to attack shrinks, what can you do to protect a device or network from zero-day cyberattacks?
To recap, a zero-day vulnerability or zero-day threat is a common phenomenon. If you look at how software and hardware are developed, it becomes clear why. Development is a process. It begins with understanding requirements, design of user journeys and the component architecture, developing code etc. Each part of the process is open to flaws built in because of the complexities and interdependencies of the moving parts. Rigorous testing helps but cannot completely eradicate the possibility that a flaw will slip in. Consequently, vulnerabilities are so common that a recent study from security test firm Veracode found at least one security flaw in 76% of apps.
The name zero-day refers to the fact that the vulnerability is a recent discovery so that no patch can close off the gap. This is a vulnerability window. The problem is that this window is becoming smaller and much more challenging for security teams to deal with.
The patch problem of the zero-day vulnerability
Cybercriminals are a cunning lot; they go after low-hanging fruit and target popular applications. This makes total sense; you want a broad audience of potential victims to maximize success. Consequently, applications such as Microsoft 365, iOS, Android, various browsers and so on are a focus for zero-day vulnerability attacks.
Cybercriminals continuously check for vulnerabilities; once found, they create exploit kits and then use automated scanners and bots to look for vulnerable systems to target.
A recent example of this was the targeting of vulnerable Microsoft Exchange servers by hacking group Hafnium. The attacks involved four critical common vulnerabilities and exposures (CVEs) affecting on-premise Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019. Hafnium created an automated script that scanned for vulnerable Exchange Servers, focusing on those targets using social engineering to initiate the attack.
An issue with zero-day threats is that even patching the vulnerability does not necessarily close off a threat. CVE-2021-1675 impacted the Windows Print Spooler and was quickly patched but later identified as allowing for remote code execution (RCE). Another Microsoft zero-day that affected printers was patched quickly but left printers still vulnerable.
Patching is sometimes just not enough and can even open new vulnerabilities.
And then, of course, there is the distribution of patches. Achieving timely patching across a potentially massive tech real-estate is no mean feat. Cybersecurity teams are under enormous pressure to keep ahead of the zero-day game. But this is the thing, zero-days are more than a patch problem.
Can a patch in time save nine?
Security metrics are a helpful way to measure the effectiveness of a security approach. For example, the average time to patch a vulnerability or patch (MTTP) is between 60 and 150 days, and security and IT teams tend to take at least 38 days to push out a patch. This leaves a wide-open window for cybercriminals to exploit a zero-day.
But zero-day vulnerabilities also need a route in. Typically, this route is via social engineering. Social engineering vectors, such as phishing and drive-by-downloads, are a gift for cybercriminals as it shortens time to exploit. Hackers no longer need to look for open channels into a network; the open channels come in the form of a human being’s behavioral urge to click: the magic mix for a hacker is a zero-day and a human. The five-minute hack is here to stay unless we nip it in the bud.
What measures prevent a zero-day attack?
A vulnerability management policy is an essential guide to how to take on zero-day exploits. However, this is not enough in a world where a zero-day exploit can begin to take hold in minutes, not days. An effective vulnerability management policy should include specific baseline critical measures, including a patch management process.
In October 2020, the Google Zero Day Project found seven zero-days lurking in the wild within “watering holes,” aka infected websites. These sites pointed to exploits targeting iOS, Android and Windows devices. Two of the CVEs (Google Chrome CVE-2020-15999 and Microsoft Windows CVE-2020-17087) were used combinatorially to perform privilege escalation, allowing admin access to a system. The fundamental vector to the exploit was the socially engineered drive-by-download.
Patch fatigue, CVE severity and the use of drive-by-downloads and other social engineering vectors have created a perfect storm.
Software and firmware patches still need to be done. However, measures that cover both the server and client-side must be used to augment protection, and these are:
- Security awareness training to build a culture of security and teach employees about phishing and other social engineering tricks
- Web content filters that prevent employees from navigating to malicious sites
- Email filters to stop phishing emails enter an inbox
- User behavior analytics (UBA)
- DNS analytics
- Robust patch management
- Automated vulnerability scanning (of course, this won’t always capture zero-day vulnerabilities but is useful nonetheless)
With such a broad target base and cleverly composed exploit kits, any length of time to patch, even measured in minutes, will result in many opportunities to infect devices and move up the privilege chain. With the complex nature of modern IT systems, IoT devices and software with multiple dependencies, zero-days will slip in. Using the human vector to initiate an exploit will continue to be used unless we close off this gap. Security awareness training and augmented measures such as UBA and web content filtering provide the layers needed to close the gaps left behind by software flaws.
Palo Alto Networks, Microsoft Exchange Server Attack Timeline
Veracode, State of Security
Krebs on Security, A Basic Timeline of the Exchange Mass-Hack
Security Intelligence, How Do You Measure the Success of Your Patch Management Efforts?
Google, Google Project Zero