Posted on April 1, 2023 at 4:55 PM
Over 15 million public-facing services susceptible to CISA KEV vulnerabilities
More than 15 million publicly facing services are vulnerable to more than one of the 896 vulnerabilities listed within the CISA known exploitable vulnerabilities (KEV) catalog.
Public-facing services vulnerable to CISA KEV vulnerabilities
The high number of vulnerabilities in these services has been revealed in a report by the Rezilion cybersecurity company. The firm conducted in-depth research to detect vulnerable systems exposed to hacks by threat actors. The hackers, in this case, are either state-sponsored or ransomware groups.
The findings that Rezilion has made are disturbing because the flaws that have been examined are known and listed within the CISA KEV catalog. Threat actors have actively exploited the vulnerabilities, and any delay made to patch these flaws maintains a vast attack surface, allowing the hackers to access multiple targets.
The Rezilion cybersecurity company deploys the Shodan web scanning service that detects endpoints vulnerable to CVEs integrated within the CISA Known Exploitable Vulnerabilities Catalog.
Using the custom search queries, the researchers detected 15 million instances vulnerable to 200 CVEs from the vulnerabilities catalog. More than half of the 7 million instances are vulnerable to one of the 137 CVEs linked to Microsoft Windows, which makes the feature a priority for defenders and a target for hackers.
Nearly half of the top-ten CVEs apart from Windows identified by Rezilion are over five years old. Therefore, around 800,000 machines have not installed any security updates for a given period.
The report also stated that more than 4.5 million internet-facing devices were detected and found to be vulnerable to attacks using the identified CVEs. “IT is very concerning that these machines did not patch the relevant published updates for years even though a patch was released, and these vulnerabilities are known to be exploited in the wild,” the report said.
One of the CVEs that have been reported, CVE-2021-40438, is a medium-severity information disclosure vulnerability that appeared in nearly 6.5 million Shodan results. The flaw affects the Apache HTTPD server v2.4.48 and previous versions.
The other flaw is ProxyShell, a set of three flaws that affect Microsoft Exchange that has been exploited by Iranian threat actors for remote code executions in 2021. The ProxyLogon also contains four vulnerabilities affecting Microsoft Exchange that Russian hackers have previously exploited to attack US infrastructure.
The HeartBleed flaw is a medium-severity flaw that affects OpenSSL, where hackers can leak sensitive information from the process memory. According to Shodan, 190,446 flaws are still vulnerable to vulnerability.
The CVE-2021-40438 flaw shows that many of the exploits are linked to the websites and services running on Apache, not individual devices. The multiple websites can be hosted on one server.
The estimate that Rezilion has given for 15 million exposed endpoints is conservative. It contains non-duplicates and leaves out cases where the researchers cannot detect queries that narrow down the product versions.
A report by Rezilion added that they did not solely rely on in-built Shodan CVE searches for the research. Instead, they created custom search queries that determined the software versions that run on multiple devices.
The company noted that it conducted its analysis, including detecting the vulnerable versions of the affected product and designing Shodan queries that identify the indications for the versions within the metadata visible to Shodan.
Attempts at exploiting these vulnerabilities
Rezilion used data acquired from Greynoise to monitor and categorize the attempts at exploiting this vulnerability. The most exploited flaw is CVE-2022-26134, where 1,421 results were in GreyNoise, while 816 exploitation attempts were made in the past month.
If hackers exploit this flaw, they can execute an Object-Graph Navigation Language expression on the vulnerability. The other vulnerabilities that also have a high level of exploitation include CVE-2018-13379, which has resulted in 66 attempts at exploitation over the past month.
Protecting against the risks posed by these flaws requires that patches be installed on user devices. Moreover, organizations should also prioritize the critical flaws when patching or securing them in a firewall.
According to Rezilion, the flaws in Microsoft Windows, Adobe Flash Player, Google Chrome, Microsoft Office, Internet Explorer, and Win32k account for one-fourth of the CISA KEV catalog, where these products can be an ideal starting point.