Hackers scan for CVEs in 15 minutes (or your pizza is free)
Car parking lots notoriously attract thieves. With plenty of cars lined up next to each other, all a thief has to do is scan the vehicles as he walks up and down the rows, looking for an open window, a door left ajar, or expensive items left out in plain view. It’s almost too easy, and there’s all but a 100% guarantee that one car will hold valuable treasures.
Threat actors operate in much the same way. Take phishing attacks, for example. There’s no shortage of employees and, like a window accidentally left open, one employee is bound to mistakenly click on a phishing email, inviting the hacker into the company’s infrastructure in one way or another.
Social engineering attacks are the most common: 98% of attacks use social engineering, and the average company faces over 700 of these attacks each year. But that’s just the tip of the hacking iceberg. Hackers have so many tactics for starting a hack. They can use viruses, bait and switch attacks, Denial of Service (DoS) attacks, key logger software, and stolen cookies, to name a few.
One of the least talked about but potentially most dangerous ways for a bad actor to begin a hack is to scan for vulnerabilities. Once a new vulnerability is publicly announced, they can scan and find them in about 15 mins – way less time than it takes to get your UberEats delivery!
How hackers scan for vulnerabilities
Like the car vandal, hackers start with some reconnaissance to find vulnerabilities across a company’s IT environment. They can use a vulnerability scanner to do the work for them, quickly finding an entry point, mapping systems and firewalls, and even detecting listening ports, all while using evasion techniques to hide from intrusion detection systems.
A skilled hacker can execute a scan and deploy an attack independently. However, today’s vulnerability scanners are so easy to use that an amateur hacker can launch a scan and sell the information to a more skilled threat actor or partner with them to gain access and launch an attack later on.
Here’s the kicker: hackers can scan on a regular basis, just searching for an unpatched system, or they can wait until the security community clearly points them out, listing them as Common Vulnerabilities and Exposures (CVEs). Of course, CVEs are publicly disclosed to alert system admins to issues so they can be patched immediately. Still, the unintended result is that hackers also see the announcement, allowing them to exploit the vulnerability well before IT teams have a chance to patch it.
How vulnerabilities are disclosed and how CVEs are announced
Funded by the Cybersecurity and Infrastructure Security Agency (CISA), the MITRE corporation oversees the CVE program. Every publicly announced CVE is assigned a CVE ID to keep vulnerabilities organized and recognizable.
When you, a company, or other open-source community members identify a vulnerability, defined as “code that can be exploited, resulting in a negative impact to confidentiality, integrity, OR availability, and that requires a coding change, specification change, or specification deprecation to mitigate or address,” a specific process should be followed.
Here’s a quick overview of the process:
- First, check the CVE list to see if it already has a CVE ID.
- If it’s a newly discovered vulnerability, contact the product vendor directly to see if a patch is available and can be tested. If the vendor is unresponsive, contact a third-party coordinator like CERT/CC or, in extreme cases, announce the issue on a public forum like Bugtraq to see if others can validate your claim.
- Next, the CVE will be assigned an ID by a participating CVE Numbering Authority (CAN) or CERT/CC. Otherwise, you can complete a CVE Request form from the MITRE CAN of Last Resort (CAN-LR) by providing the required information. After the vulnerability is confirmed, the CVE team will assign an ID.
- Share the CVE ID with any affected vendors and prepare a vulnerability announcement with the CVE ID (written as CVE-YYYY-NNNN). In the case of multiple CVES, note which ID is related to which vulnerability.
- Finally, contact the MITRE CAN-LR, sharing the links to your public announcement and a description of the vulnerability.
We said it above but we’ll say it again: research shows that within 15 minutes of a public announcement, hackers are already scanning for that vulnerability!
Hackers won’t ever stop
Hacking is incredibly lucrative. In 2021, the global cost of cybercrime was more than $6 trillion, and by 2025 it will cost the world $10.5 trillion. Criminals are hard to catch and prosecute, making it all the more attractive for those with some skills and no moral code.
Each year, and sometimes every few months, threat actors find new ways to terrorize businesses, exploit vulnerabilities, and generally wreak havoc. They can and will continue on that path simply because it’s usually very easy for them. While they only need to find one weakness, security professionals are busy finding numerous ones across their attack surfaces and prioritizing which should be fixed in a never-ending loop.
However, the story is less grim for system admins that run a tight ship and stay on top of their security 24/7. They can take proactive steps, employ the right tools and continually scan their infrastructure to catch any intrusions before damage can be done. Although that takes vigilance and time, maintaining a secure posture is the only way to stand a chance against ever-evolving threats.
The give and take of maintaining security
Consider the ‘Prisoner’s Dilemma,” a game theory that hypothesizes outcomes based on whether two criminals cooperate or work against each other. It postulates that if the two work as a team, they get the most favorable result, whereas if they turn on each other or one turns on the other, the outcome is worse.
When applied to ransomware attacks, the theory asks whether companies that are victims should virtuously report the incident so that others could benefit or keep it to themselves out of self-interest.
Too often, public companies don’t report cyber incidents because it doesn’t serve their own interest and could result in repercussions such as reputation damage or lost revenue. However, the company is hurting itself, other companies, and the security community at large. The fallout and frequency of non-reporting are reflected in cyber insurance policies. Insurers are now requiring policyholders not only to disclose attacks but also to partner with security operations centers (SOCs) to ensure 24/7 monitoring and demonstrate proactive approaches to security.
While the pace at which hackers evolve their tactics is enough to make anyone’s head spin, take comfort in the fact that experts are dealing with these issues regularly and constantly watching and tracking behavior patterns to identify new attack methods early on.