This article is more than 1 year old

Miscreants started scanning for Exchange Hafnium vulns five minutes after Microsoft told world about zero-days

Being slow to patch just means you'll get pwned faster

Attackers began scanning for vulnerabilities just five minutes after Microsoft announced there were four zero-days in Exchange Server, according to Palo Alto Networks.

Malicious people seeking to exploit flaws in general were doing so within a quarter of an hour of details being released, the company's Cortex Xpanse research team said today.

Although research director Rob Rachwald did not elaborate when The Register asked for more detail on its findings, a released report reckoned "scans began within 15 minutes after Common Vulnerabilities and Exposures (CVE) announcements were released between January and March."

"Computing has become so inexpensive that a would-be attacker need only spend about $10 to rent cloud computing power to do an imprecise scan of the entire internet for vulnerable systems," said Palo Alto's latest attack surface threat report. Such technology can be used for good as well as bad; search engines such as Shodan and GrayHatWarfare are built on it.

Around a third of "overall security issues" noticed by Palo Alto related to poorly configured remote desktop protocol (RDP) setups, with cloud environments being responsible for 80 per cent of "critical" vulns spotted during what the company described as scans of "the public-facing internet attack surface of some of the world's largest businesses."

The finding about time-of-flight between vuln disclosure and malicious scan hunting for exploitable deployments chimes with previous research on the same topic: last summer a SANS researcher noticed fresh honeypots were being probed for newly patched Citrix vulns – ironically he was hoping for attackers to try to exploit known vulns in F5 Networks gear at the time.

Inexplicably, some organisations drag their feet when it comes to patching even critical flaws. Last year's Netlogon vuln, which allowed attackers to bypass logon authentication and gain domain admin-level privileges on vulnerable networks, was being actively exploited a month after Microsoft emitted patches amid top-grade warnings about the critical security risk that the flaw, CVE-2020-1472, posed.

Being slow to patch has consequences, as the EU Banking Authority found out a week after patches were made available for the Hafnium Exchange vulns; the organisation had to pull its email servers offline after being compromised, as did the Norwegian Parliament. ®

More about


Send us news

Other stories you might like