Security News > 2021 > May > Miscreants started scanning for Exchange Hafnium vulns five minutes after Microsoft told world about zero-days

Attackers began scanning for vulnerabilities just five minutes after Microsoft announced there were four zero-days in Exchange Server, according to Palo Alto Networks.

Although research director Rob Rachwald did not elaborate when The Register asked for more detail on its findings, a released report reckoned "Scans began within 15 minutes after Common Vulnerabilities and Exposures announcements were released between January and March."

Around a third of "Overall security issues" noticed by Palo Alto related to poorly configured remote desktop protocol setups, with cloud environments being responsible for 80 per cent of "Critical" vulns spotted during what the company described as scans of "The public-facing internet attack surface of some of the world's largest businesses."

The finding about time-of-flight between vuln disclosure and malicious scan hunting for exploitable deployments chimes with previous research on the same topic: last summer a SANS researcher noticed fresh honeypots were being probed for newly patched Citrix vulns - ironically he was hoping for attackers to try to exploit known vulns in F5 Networks gear at the time.

Last year's Netlogon vuln, which allowed attackers to bypass logon authentication and gain domain admin-level privileges on vulnerable networks, was being actively exploited a month after Microsoft emitted patches amid top-grade warnings about the critical security risk that the flaw, CVE-2020-1472, posed.

Being slow to patch has consequences, as the EU Banking Authority found out a week after patches were made available for the Hafnium Exchange vulns; the organisation had to pull its email servers offline after being compromised, as did the Norwegian Parliament.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/05/19/hafnium_scans_5_mins_post_disclosure/