Increasing Cyber Attacks on RDP, Cloud Databases and Third-Party Vendors

Malicious actors use various ways to acquire preliminary access to victims’ systems. However, in 2022, cybercriminal gangs seemed to concentrate on attacking cloud databases and Remote Desktop Protocol, stated by cyber insurance company Coalition. RDP is a very common way for initial access brokers (IABs) and ransomware groups to acquire access to the networks of victims. RDP is certainly the most frequently employed remote-scanning by threat actors. In 2022, RDP scanning traffic was quite high as information gathered from Coalition’s honeypots showing RDP scans was 37.67% of all observed scans. Every time a new vulnerability is discovered in RDP, scans escalate as threat actors hurry to select targets that may be attacked.

Ransomware is still a major problem. In 2022, the groups more and more attacked cloud databases, particularly MongoDB and Elasticsearch databases, a significant number of which were snagged by ransomware groups. The team found 2,846 Elasticsearch databases and 68,423 MongoDB databases attacked by ransomware in 2022.

The reports of new software vulnerabilities continue to grow in the last 6 years. 2022 had over 23,000 new common IT vulnerabilities and exposures (CVEs) identified, the greatest number among all the years thus far. Coalition forecasts this trend will carry on in 2023 and expects over 1,900 new CVEs appearing every month – a 13% expected increase from 2022. Every month, Coalition is looking at an average of 155 critical vulnerabilities and 270 high-severity vulnerabilities and explained that companies must be cautious and be updated on patching and immediately deal with the security breaks.

With a lot of vulnerabilities currently being reported, patching is a big concern. Considering the many vulnerabilities that need to be resolved by security teams, patching is usually slow-moving, and that allows hackers to have more chances to take advantage of the vulnerabilitites. Immediate patching is important, since most of the newly exposed CVEs are taken advantage of by cybercriminals in 30 days of publicizing the vulnerabilities. The most number is exploited in 90 days. Exploitation could happen unbelievably fast. For example, attackers exploited CVE-2022-40684, the Fortinet vulnerability, in just 2 days after making the public announcement.

Malicious actors usually concentrate on exploiting a small set of vulnerabilities. If they find new vulnerabilities that could be exploited, they are likely to follow their proven exploits and strike as many businesses they can. Although the objective of security teams is to make sure to patch all vulnerabilities immediately, it’s an almost impossible job considering the big number of reported vulnerabilities. The biggest gains can come by putting patching first and making sure the most frequently exploited vulnerabilities are patched first of all. The Cybersecurity and Infrastructure Security Agency (CISA) keeps a listing of identified exploited vulnerabilities, and every year publishes a listing of the most frequently exploited vulnerabilities. All the listed vulnerabilities must be given priorty and patched first.

It is a challenge to effectively prioritize patching because it isn’t always obvious which vulnerabilities are going to be exploited. IT teams usually evaluate vulnerabilities with the CVSS severity score and Exploit Prediction Scoring System (EPSS), still this data is not always readily available at first disclosure of vulnerabilities. Coalition has circumvented this issue by creating the Coalition Exploit Scoring System (CESS) to rate vulnerabilities. CESS utilizes deep learning models that could forecast the CVSS score for a vulnerability according to its description, the possibility of developing an exploit fast according to past availability of exploit for CVEs, and the possibility of using the exploit against Coalition policyholders by recreating earlier attacks.

With a lot of vulnerabilities to deal with, systems frequently remain unpatched for many years, so big swaths of the web are unprotected. Leaders in charge of securing the network require the most appropriate and useful data to take action – and they require an efficient way to prioritize which CVEs to react to. The Coalition has tried to offer that required circumstance and the CVSS/CESS framework to aid cybersecurity frontrunners and practitioners to make educated choices regarding their digital risk and respond immediately to threatening vulnerabilities.

Healthcare Companies Most Frequently Affected by 3rd Party Data Breaches

Attacks on business associates of healthcare companies have gone up to the point that they exceed the number of attacks on healthcare companies. Besides a rise in cyberattacks on third-party vendors, the effect and damage resulting from those attacks have likewise gone up, as per the latest report by Black Kite, a vendor risk management firm.

Every year, Black Kite’s Third-Party Breach Reports evaluates the effect of third-party cyberattacks and data breaches. This 2023, there were 63 third-party breaches analyzed along with the 298 companies impacted. The report stated a doubling of the effect and damage resulting from those breaches. In 2021, about 2.46 companies were impacted by third-party breaches. The number of impacted companies grew to about 4.73 per breach in 2022.

In 2022, 40% of attacks on third parties resulting in data breaches was due to unauthorized system access. Black Kite states that these kinds of attacks grew to such high numbers because of remote workers that makes it possible for cybercriminals to exploit vulnerabilities. 27% of 2022’s third-party breaches involved the use of ransomware; but there was a slight decrease in year-over-year cyberattacks. Black Kite states that the decrease was because of the reduced Russian sanctions, which cut down the Russian cybercriminals’ capability to execute ransomware attacks. The following are the other causes of data breaches: unsecured servers (9.5% of data breaches), earrings (6.3%), phishing (3.2%), and malware (3.2%).

Other notable results reported by Black Kite is an increase in the time of issuing breach notifications to affected companies. There was about 50% increase to the average year-over-year time, which is 108 days from the date of discovering the attack. With the late notifications, cybercriminals get more time to steal and misuse data, causing more problems. The most targeted third parties are technical service vendors (30%) followed by vendors of healthcare services and software services. Healthcare providers were typical third-party breach victims (34.9% in 2022), followed by finance and government (each at 14%).

Global business ecosystems are becoming more complicated, with every company becoming more affected by the cybersecurity mode of their third party vendors. The fact is a company’s attack surface is bigger than the things it can control. Therefore, it is important to assess and keep track of your extended ecosystem to identify vulnerabilities and do something to avoid problems.