So far, we have spoken of digital pathogens and attack surfaces and some of the nasty things that can go wrong if your networks are exposed to the world. Today let us delve into the world of vulnerable services that may affect you more than you realize.
When your systems are on the Internet, they often have services in place that allow communication to occur as part of the regular course of business. Services are a good thing indeed, and without them, there is no communication. However, services are also a prominent way for threat actors to make their way into a network. Vulnerable services not only allow entry into the intranet, but they can also allow malware to traverse your network in search of additional vulnerable services, where they can potentially do all sorts of nasty things.
Recently we became aware of vulnerable SAP Java Services, which are perhaps well on their way to making it onto the list of critical vulnerabilities (ones that you must patch right away) that the CISA maintains. They do this for a set of known actively exploited vulnerabilities. Now, it’s essential to understand that just because a vulnerability is not currently on their list, it does not mean they have not been exploited. It just means that CISA has not seen it happen at scale, or if they have, they have not updated the list yet.
While the number of affected SAP systems observed by Arctic Security is not massive, it still numbers in the thousands. In all likelihood, some of these are instances living in some very large enterprise organizations. What makes this particularly interesting is that SAP systems are frequently closely tied to financial systems, which means that exploiting one of these vulnerable systems by dropping ransomware on it may indeed be a way to quick riches for a bad actor.
Now I want to emphasize something here. Suppose such systems are vulnerable yet are not outward-facing. In that case, we must keep in mind that getting into the network by several other exposed, vulnerable attack vectors could still allow a hacker to exploit these vulnerable internal services. It is just as essential to discover and remediate issues with services on the intranet as it is on the internet.
Think of vulnerable services inside the network as comorbidity factors for digital pathogens that attack the internet-facing network. Once they get in, they can exploit any number of vulnerable services that multiply the severity of the incident. If your organization only focuses on outward-facing network connection points, you will likely have a dreadful week if a clever attacker gets in.
So to summarize, when looking at vulnerable attack surfaces, it is very important to look beyond the internet-facing machines, because the “crown jewels” are really what attackers maybe after, and those live inside your seemingly protected internal network. Find and remediate all vulnerable attack surfaces, regardless of where they are located on your network.