Industry executives and experts share their predictions for 2022. Read them in this 14th annual VMblog.com series exclusive.
Overwhelming Number of Vulnerabilities with a CVSS score above 9 Makes Patching Prioritization Frustrating
By Dave Klein, Director and
Cyber Evangelist, Cymulate
A New Methodology Is Needed to Reduce Risk & Cost Between Patching
Cycles
Banner Year for Vulnerabilities
This year was a banner year for enterprise vulnerabilities.
Between bug bounty's findings, the industry's improvement at policing itself
and others, and the heightened concern over third-party risks, the discovery of
vulnerabilities came in at a higher rate than ever seen before. Looking at the Mitre
CVE list, the number of registered CVEs in 2011 was 4,816. In 2021,
it jumped to 29,482, a 600% increase. Add to that the number of still active
CVEs from previous years, the total number of active CVEs listed in CVE
Details by the end of 2021 reached a staggering 167,039
vulnerabilities.
With such a high number discovered this year, one would
expect most would be of low-quality, lacking Remote Control and Execute (RCE).
Yet, to our shock and dismay, it appears an alarmingly high number of active
CVEs have RCE capabilities plus vulnerabilities that were RCE capable and posed
real threats to enterprises. Checking the CVE Details records
shows that there are currently over 19,061 active vulnerabilities with a CVSS
score higher than 9.
Increased Speed from Vulnerability to Exploit and Some Patching is not Complete
To make matters worse, this year, we found that even when a
vulnerability was announced before existing exploits were available, they would
rapidly surface. The speed at which
multi-tiered, affiliate-boosted cyber-criminal ranging from lone hackers to
nation-state professionals graduated from proof-of-concept exploit to active
ones was lightning fast.
In 2022, we expect the quantity
and severity of emerging exploits to continue to increase and the time window
between vulnerability publication to exploit availability to shrink. This has
serious ramifications for enterprises already struggling to keep up.
Disruptive, time-consuming, and arduous patching cycles have always been
troublesome, and the periods in between are increasingly fraught with risks.
Far too often, this had led to disruptive "clear the deck" emergency
patching cycles interrupting IT and business processes. Furthermore, in cases
of severe CVEs, the initial patches are only a stop-gap measure, and additional
patching is required.
Cost of patching
Patching, whether during pre-set
maintenance windows or during disruptive all-hands-on-deck emergency patching,
is resource intensive and costly. In fact, a new study by Ivanti revealed 71%
of IT and security professionals find patching to be
overly complex and time-consuming.
2021 Examples
- A notable example,
this year, included those who still run on-premises Microsoft Exchange Servers.
On March 2nd Microsoft announced four critical vulnerabilities (CVE-2021-26855,
CVE-2021- 26857, CVE-2021-26858, and CVE-2021-27065). Already being exploited
in the wild by a Chinese Nation-State, Actor APT 40, also known as HAFNIUM. As
people burned emergency patching windows to address, within a week and a half,
these vulnerabilities were incorporated into common Ransomware and other
attacks.
- Another fitting
example was a critical vulnerability in Microsoft's Hypertext Markup Language
(MSHTML), a web content rendering engine that Microsoft Office applications
use. In this case, the vulnerability CVE-2021-40444 could
lead to malicious ActiveX controls that would RCE systems. Discovered on September 7th, 2021, it was exploited in
less than 72 hours by multiple threat actors. What made matters worse was that,
while the patch handled some aspects of the MSHTML flaws by December 21st,
attackers found additional ways to launch their attacks on patched versions of MSHTML, requiring
defenders to patch again.
- Log4J is this year's
best example of patching issues. Beyond the silly memes, it is a severe issue.
With the world running on apps and apps today firmly rooted in web services,
the effects of this vulnerability spread everywhere at lightning speed. The provided
patching was piecemeal and inefficient. The first patch, upgrading to version
2.15.0, did not plug all the vulnerability issues. This led to additional
patching releases, 2.16.0, 2.17.0 and, as the year closes, 2.17.1.
A NEW Example Invoke-noPac - Critical Active Directory Server
Vulnerabilities
In this blog, we will introduce another critical
vulnerability. One that is only a week old, and currently hides in the shadow
of Log4J, but is just as widespread and arguably more deadly. It starts with
two severe vulnerabilities CVE-2021-42287 & CVE-2021-42278, found in every Windows Server
release, that, when exploited together in a SAMAccountName spoofing and
escalation attack, allow un-elevated users within a domain to spoof and get
Active Directory Domain Administration rights.
What makes this especially scary is that we are tracking
multiple proof-of-concept exploits on this across GitHub and various hacking
blog sites. We have even seen a YouTube video demonstrating a successful proof
of concept exploit.
How is that exploit instrumentalized?
It is frightfully easy.
1. A regular, unelevated user on a domain
simply creates a Kerberos service ticket request to a vulnerable Active
Directory server. The vulnerable Active Directory server replies with a
standard Kerberos service ticket.
2. The user then fakes a domain admin request
and sends a second Kerberos service ticket impersonating the domain admin.
The two vulnerabilities together are the key - the first one does not
verify the account name, and the second one allows the escalation of
privileges. The vulnerable Active Directory server then simply grants
access to this second Kerberos service ticket with admin rights.
3. Now, that user has full control of that
Active Directory domain and can do any number of things.
Some have called the PoC exploits "Weaponization of
CVE-2021-42287 & CVE-2021-42278" and others have given it the name
"Invoke-noPac Active Directory Attack", after the way the user requests the
Kerberos service tickets. Regardless, the number of active PoC exploits
observed have been around twenty. It is only a matter of time this gets
weaponized by criminal and nation-state hackers alike.
2022 Doing the Impossible - Decrease Risk While Patching Less
If 2021 has taught us anything, we must become smarter between
patching cycles by doing everything we can to find first and third-party
security controls to compensate for vulnerabilities, reducing risk, and
paradoxically, patching less. In doing this, we can ensure lower risk and
expense.
Looking at our Invoke-noPac example, CVE-2021-42287 &
CVE-2021-42278, effective patches were already released on Tuesday, November
9th. Some things can be done to reduce the emergency patching burden and hold
off until a periodical maintenance window. Third-party controls can be used to
segment off access to Active Directory, and they can use behavior-based
anti-malware on the Domain Controllers. Additionally, they can incorporate
first-party controls by removing unelevated users' ability to register systems
in a domain by modifying the default Active Directory configuration.
At Cymulate, we created a purple team test that discovers
and exploits (safely for your production environment) these two
vulnerabilities, and subsequently removes any elevations to keep Active
Directory untouched.
Summary
We can expect the onslaught of
high severity vulnerabilities seen in 2021 to continue unabated in 2022. The
difference will be in our ability to incorporate first-party and third-party
controls to mitigate risk quickly and easily, and reduce the number of patching
windows to a minimum. By doing such, we can better secure our enterprises and
do so with less cost.
##
ABOUT THE AUTHOR
Dave Klein is a Director and Cyber Evangelist for Cymulate.
You can follow him on Twitter at @cybercaffeinate.