Report Surfaces Root Causes of Cloud Security Issues
An analysis published today by the Unit 42 cybersecurity arm of Palo Alto Networks found that half of the critical exposures discovered in cloud computing environments every month can be traced back to 20% of the cloud services that have been recently added or updated.
Overall, the analysis found that 80% of medium, high, or critical exposures analyzed were observed on assets hosted in the cloud. More than 75% of publicly accessible software development infrastructure exposures were found in the cloud, the report found.
Matt Kraning, CTO for Cortex at Palo Alto Networks, said it’s apparent that many cybersecurity teams are overwhelmed by the pace at which cloud services are being rolled out. Previous Unit 42 reports noted that it takes an organization more than three weeks to investigate and remediate a critical exposure.
The issue is that while most organizations do well when securing their primary cloud computing environments, there are always instances of workloads running on cloud platforms that cybersecurity and IT teams are unaware of or that are simply misconfigured—that creates a potential exploit, he added. There are simply too many instances where someone within a decentralized IT organization has ignored the templates that ensure cloud security, said Kraning.
The report also suggested that the gap between when a vulnerability is exposed and exploited continues to narrow. A deeper analysis of 30 common vulnerabilities and exposures (CVEs) conducted from May 2022 to May 2023 found three of those vulnerabilities were exploited within hours of the CVE public disclosure. Nineteen of the 30 vulnerabilities were exploited within 12 weeks of the public disclosure.
Unit 42 also analyzed 15 remote code execution (RCE) vulnerabilities actively used by purveyors of ransomware attacks. Threat actors targeted three of these critical RCE vulnerabilities within hours of disclosure, while six of the vulnerabilities were exploited within eight weeks of disclosure.
In addition, the Unit 42 report found takeover of web framework exposures made up 22% of the total observed across 250 organizations. The most common exposure types were insecure versions of Apache web servers, insecure versions of PHP and insecure versions of jQuery.
Overall, the report found that out of more than 600 incident response cases tracked, 50% of targeted organizations lacked multifactor authentication (MFA) on key internet-facing systems.
Finally, the report noted that more than 85% of organizations analyzed had Remote Desktop Protocol (RDP) accessible to the internet for at least 25% of the month despite well-known vulnerabilities. Nevertheless, RDP accounted for more than 40% of the exposed remote access services. A full 85% of organizations analyzed had at least one internet-accessible RDP instance online during a 30-day window. In comparison, IT and networking infrastructure comprised 17% of exposures observed, followed by file sharing (12%) and databases (9%).
The irony of all these vulnerabilities is that, rather than people, it is systems and services that are now the weakest cybersecurity link, said Kraning. Most organizations that use a modern extended detection and response (XDR) platform are today able to protect individual employees from cyberattacks, he noted.
As always, when it comes to cybersecurity, the issue is finding a way to consistently enforce policies when it’s too easy to come up with a rationale for ignoring them.