Weak Creds, Unpatched Flaws, Reliance on Tools Plagued Orgs in 2022
Organizations often either have weak credential policies or don’t enforce them, making it easy for attackers to use legitimate credentials to log in—or live off the land—rather than using topflight tools to hack their way into systems.
That’s just one of three major themes that emerged in 2022, according to the “Year in Review 2022: Through the Eyes of the Attacker” report by Horizon3.ai. Not surprisingly, “patchy” patching and misconfigurations largely go unfixed. “Many organizations found exploitable vulnerabilities that are several years old and have relatively easy fixes in the form of vendor-provided patches, including from CISA’s Top 15 Routinely Exploited Vulnerabilities list and Known Exploited Vulnerabilities catalog,” the report said, noting that “NodeZero exploited the Remote Desktop Services RCE Vulnerability (CVE-2019-0708) ‘BlueKeep’ 552 times this past year, and EternalBlue (CVE-2017-0144) 565 times.”
Additionally, “critical VMware vulnerabilities were exploited 365 times, and misconfigurations and vulnerabilities were also common in popular DevOps tools and resources such as Jenkins (58 instances), GitLab (41 instances), Docker (50 instances) and Kubernetes (54 instances),” Horizon3.ai researchers found.
Rounding out last year’s themes, it turned out that tools alone did not protect against security woes. Tools need oversight and some fine-tuning along the way. Many who participated in the research believed that their EDR solutions should have stopped incidents, but watched in dismay as they failed during pentests. “Many companies could not detect an unauthorized host such as NodeZero in their environment and prevent it from dumping a SAM database full of credentials,” the report noted. “Often, it was not the tool itself that failed, but rather a failure to properly configure the tool that resulted in the exposure of assets.” NodeZero, for example, he said, used Windows MITM attacks (NTLM Relay) 1,450 times and captured 138,662 credentials.
“The findings in this report are, unfortunately, not unexpected. The first point, especially—that many attacks stemmed from some kind of credential compromise—is exactly what we expect,” said Mike Parkin, senior technical engineer at Vulcan Cyber. “In fact, none of the three themes they highlighted are a surprise.”
In line with the report, “the misconfiguration of EDR solutions is a highly prevalent issue among enterprises and thus, often leads to EDR solutions being unable to detect cybersecurity threats which enables attackers to further penetrate into an organization’s infrastructure,” said Menachem Shafran, vice president of product at XM Cyber.
“EDR solutions are not bulletproof, are often misconfigured and are not deployed across the entire environment—our analysis showed that over a third of organizations have deployed an EDR solution to less than half of their assets—or they’re inactive even when deployed,” said Shafran. “This research should act as a wake-up call to organizations to better understand, find and fix easily exploitable threats in their environment.”
Horizon3ai researchers identified the top 10 vulnerabilities and weaknesses from 2022, all of which resulted from the three weaknesses that emerged last year:
- Weak or reused credentials
- Weak or default credential checks in protocols (SSH, FTP, Web, etc.)
- Credential dumping from Windows or Linux hosts
- Exploitation of critical CISA vulnerabilities
- Exploitation of critical VMware vulnerabilities
- Misconfigurations and vulnerabilities in DevOps tools (Jenkins, GitLab, Kubernetes, Docker)
- Misconfigurations and vulnerabilities in routers, iLOs, and iDRACs
- Windows man-in-the-middle attacks (NTLM relay)
- Windows Active Directory elevation of privilege escalation vectors (Kerberoasting)
- Zero-day or N-day vulnerabilities (Log4Shell, Fortinet, etc.)
Noting that the vulnerabilities repeat year after year, although the order may change, Parkin said, “While this is a good presentation of the current state of affairs and how some details have changed, the reality is these are all issues we’ve been dealing with as security professionals for years.”
The findings “underscore why it’s so crucial to regularly pentest all internal and externally exposed assets and points of entry,” said Snehal Antani, CEO and co-founder of Horizon3.ai. “Many of the vulnerabilities and weaknesses that companies believe they’ve already addressed are, in fact, welcoming entry points for threat actors. Every organization should regularly ask themselves what their threat environment looks like, whether their security tools are appropriately configured and effective and most importantly–whether their assets and environments are secure.
Shafran noted that in “these times of economic uncertainty, as security teams grapple with reduced budgets, it is important that organizations evaluate key gaps in their infrastructure that pose the biggest risks first and work to remediate those immediately. This includes areas where privileged credentials may be exposed or the misconfiguration of key systems.”
