Security News > 2021 > May > Miscreants started scanning for Exchange Hafnium vulns five minutes after Microsoft told world about zero-days
Attackers began scanning for vulnerabilities just five minutes after Microsoft announced there were four zero-days in Exchange Server, according to Palo Alto Networks.
Although research director Rob Rachwald did not elaborate when The Register asked for more detail on its findings, a released report reckoned "Scans began within 15 minutes after Common Vulnerabilities and Exposures announcements were released between January and March."
Around a third of "Overall security issues" noticed by Palo Alto related to poorly configured remote desktop protocol setups, with cloud environments being responsible for 80 per cent of "Critical" vulns spotted during what the company described as scans of "The public-facing internet attack surface of some of the world's largest businesses."
The finding about time-of-flight between vuln disclosure and malicious scan hunting for exploitable deployments chimes with previous research on the same topic: last summer a SANS researcher noticed fresh honeypots were being probed for newly patched Citrix vulns - ironically he was hoping for attackers to try to exploit known vulns in F5 Networks gear at the time.
Last year's Netlogon vuln, which allowed attackers to bypass logon authentication and gain domain admin-level privileges on vulnerable networks, was being actively exploited a month after Microsoft emitted patches amid top-grade warnings about the critical security risk that the flaw, CVE-2020-1472, posed.
Being slow to patch has consequences, as the EU Banking Authority found out a week after patches were made available for the Hafnium Exchange vulns; the organisation had to pull its email servers offline after being compromised, as did the Norwegian Parliament.
News URL
https://go.theregister.com/feed/www.theregister.com/2021/05/19/hafnium_scans_5_mins_post_disclosure/
Related news
- Microsoft October 2024 Patch Tuesday fixes 5 zero-days, 118 flaws (source)
- Microsoft patches two zero-days exploited in the wild (CVE-2024-43573, CVE-2024-43572) (source)
- Week in review: Microsoft fixes two exploited zero-days, SOC teams are losing trust in security tools (source)
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 91 flaws (source)
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 89 flaws (source)
- Microsoft fixes actively exploited zero-days (CVE-2024-43451, CVE-2024-49039) (source)
- Microsoft Exchange adds warning to emails abusing spoofing flaw (source)
- Microsoft patches Windows zero-day exploited in attacks on Ukraine (source)
- Microsoft pulls Exchange security updates over mail delivery issues (source)
- Microsoft launches Zero Day Quest hacking event with $4 million in rewards (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-08-17 | CVE-2020-1472 | Use of Insufficiently Random Values vulnerability in multiple products An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). | 5.5 |