Understanding these exposures helps security teams shrink their attack surface to proactively secure their organization. The following findings offer insights into these exposures accessible via the internet, gathered from extensive exposure and threat data collected over 12 months with Cortex Xpanse.
Actively find and fix your unknowns
Xpanse is an Active Attack Surface Management platform that helps organizations find and automatically fix exposures on internet-exposed systems. With Xpanse, organizations routinely uncover 30-40% more assets in their environment than they were aware of.
red line
Databases with weak security, susceptible to data breaches. Ex: Open MongoDB instances, unsecured MySQL servers, etc.
red line
File transfer systems lacking proper security, risking breaches. Ex: Unencrypted FTP, unsecured Telnet, etc.
red line
Incorrectly set up networks, inviting unauthorized access.Ex: Firewall admin pages, poorly configured VPNs, etc.
red line
is fake
red line
Unsecured remote access points, prone to unauthorized entry. Ex: Open RDP ports, weak SSH authentication, etc.
red line
is fake
red line
Infrastructure management systems, potentially vulnerable to cyberattacks. Ex: Vulnerable HVAC systems, etc.
0 Issues auto-resolved. 5 Issues awaiting input.
To assess the dynamic nature of modern IT environments, we studied the composition of new and existing services running on different cloud providers used by an organization over a period of six months.
On average over 20% of externally accessible cloud services change every month. Without continuous visibility, it is easy to lose track of accidental misconfigurations and the steady spread of shadow IT within an organization.
20%
of critical cloud-based IT infrastructure changes every month
45%
of new risks are introduced because of this flux every month
Organizations should actively monitor their attack surface as it changes constantly and without continuous visibility, there will be several unknown routine exposures that attackers can exploit.”
Matt Kraning, CTO, Cortex Xpanse
Unit 42 analyzed threat intelligence on 30 Common Vulnerabilities and Exposures (CVEs) to characterize how quickly adversaries were able to begin exploiting them.
Notably, three of the 30 vulnerabilities were exploited within hours of the CVE public disclosure. Nineteen of the 30 vulnerabilities were exploited within 12 weeks of the public disclosure, highlighting the risks associated with incomplete and inconsistent patching programs.
3/30
CVE-related exposures
were targeted within a
week of publication
19/30
CVE-related exposures were
targeted within 12 weeks
It is important to acknowledge that while a CVE may fade from the public, it still remains relevant to potential threat actors. Therefore, organizations must continuously find and fix their exposures to shrink their attack surface.”
Greg Heon, Sr. Director of Product, Cortex Xpanse
Unit 42 analyzed 15 remote code execution (RCE) vulnerabilities actively used by ransomware operators. These CVEs were selected based on intelligence information about the threat actor group and their active exploitation within 12 months of publication.
Threat actors targeted three of these critical RCE vulnerabilities within hours of disclosure, and six of the vulnerabilities were exploited within eight weeks of publication.
3/15
CVE-related exposures were
targeted within hours of the CVE
being published
6/15
CVE-related exposures were used by
these threat actors within eight weeks of
the CVE being published
Defenders should rely on automated remediation capabilities to find and fix their critical attack surface exposures before attackers find them.”
Marshall Kuypers, Director of Technical Enablement, Cortex Xpanse
The 2022 Unit 42 Incident Response Report reveals that brute-force credential attacks contributed to 20% of successful ransomware attacks. Recent advisories from the U.S. government's CISA and NSA confirm that cybercriminals persistently target RDP as a highly vulnerable attack vector.
85% of organizations analyzed in this report had at least one internet-accessible RDP instance online during the month. Across over 600 incident response cases, the 2022 Unit 42 Incident Response Report found that 50% of targeted organizations lacked multifactor authentication (MFA) on key internet-facing systems.
85%
of organizations analyzed in this report had at least one internet-accessible RDP instance online during the month.
RDP is easy to brute force. Organizations should identify and eliminate RDP exposures in their environment. If required, RDP should not be used without MFA enabled and other compensating controls in place.”
Ross Worden, Senior Consulting Director, Unit 42
Organizations across the world experience several routine misconfigurations and accidents that offer easy paths for compromising an organization over the internet.
Web framework takeover exposures, remote access service exposure, and IT and security infrastructure exposures together make up over 60% of all the exposures on the global attack surface. Organizations need to deal with these on a daily basis and eliminate them to better control and shrink their attack surface.
23%
of all exposures are web framework takeover exposures that allow attackers to actively seek out and target websites running vulnerable software.
20%
of all exposures are remote access services that are vulnerable to brute-force attacks.
Exposed IT and security infrastructure poses a tremendous risk to the organization. Attackers will focus on these systems to gain entry into your organization as well as compromise or disable your security measures. Continuous visibility and automation can help you eliminate these exposures.”
Dominique Kilman, Consulting Director, Unit 42
Learn how the attack surface exposures are unique and persistent across different industries around the globe. Download the latest ASM report.