In Kaspersky’s latest Digital Footprint Intelligence (DFI) report, it was found that cyberattackers have been increasing its exploitation of vulnerabilities. According to the cybersecurity solutions firm, complicated business processes are forced to leave services on the perimeter, which in turn increases the external attack surface.
Kaspersky’s DFI report covered the external threats for a selection of countries from the Asia Pacific (APAC) region in 2021, including the six key countries in Southeast Asia (SEA). It aims to create awareness about security threats and demonstrate effective approaches to risk mitigation for widespread attacks with high business impact.
Analysis revealed that in 2021, almost every fifth of the vulnerable services contained more than one vulnerability, increasing the chances of an attacker performing a successful attack. All industry sectors, analyzed in the report, in all countries have issues with application of security updates for publicly available services. Government institutions (major personally identifiable information (PII) processors and providers of critical services for citizens) are potential incident-generators by a huge margin.
With the help of public sources and specialized search engines, Kaspersky collected information on 390,497 services available from public networks and analyzed them for key security issues and vulnerabilities.
In terms of the share of vulnerabilities with publicly available exploits, 3 countries out of Top 5 are located in Southeast Asia (SEA) – these are Malaysia, Vietnam, and Philippines. Singapore has a low number of vulnerabilities and an outstanding low ratio between the number of services and the sum of vulnerabilities in them, while Vietnam, Indonesia, Thailand and Malaysia have the highest ratio among SEA countries
Kaspersky experts observed a number of commonly used vulnerabilities dubbed ProxyShell and ProxyLogon. Exploits for these vulnerabilities are easily available on the Internet, therefore, they can be easily exploited by even a low-skilled attacker.
While ProxyShell is quite common in China and in Vietnam, the countries most affected by ProxyLogon are:
In Government bodies – Thailand
In Financial – China
In Healthcare – Philippines
In Industrial – Indonesia
The best defense against these vulnerabilities is to keep public-faced systems updated with the latest patches and product versions. Companies should also avoid direct access to Exchange Server from the Internet. Kaspersky products protect against vulnerabilities from both groups – ProxyShell and Proxy-logon.
Brute force attacks
A great share of attackers’ initial accesses leading to cybersecurity incidents are related to services with remote access or management features. One of the best-known examples is RDP (Remote Desktop Protocol), a Microsoft’s proprietary protocol that enables a user to connect to another computer through a network of computers running Windows.
RDP is widely used by both system administrators and not-so-technical users to control servers and other PCs remotely but this tool is also what intruders exploit to penetrate the target computer that usually houses important corporate resources.
Government institutions are serving more than 40% of the attack surface for brute force attacks and credential leaks reuse.
To protect businesses from such threats, Kaspersky experts also recommends to:
- Regulate every major change to the network perimeter hosts, including services or applications launching, exposing new APIs, software installation and updating, network devices configuration and so on. All changes should be reviewed from the perspective of security impact.
- Develop and implement reliable procedures for identifying, installing, and verifying patches for products and systems.
- Focus your defense strategy on detecting lateral movements and data exfiltration to the internet. Pay special attention to outgoing traffic to detect cybercriminal connections. Backup data regularly. Make sure you can quickly access it in an emergency.
- Use solutions like Kaspersky Endpoint Detection and Response and the Kaspersky Managed Detection and – Response service, which help to identify and stop the attack in the early stages, before the attackers achieve their goals.
- Use a reliable endpoint security solution, such as Kaspersky Endpoint Security for Business (KESB) that is powered by exploit prevention, behavior detection, and a remediation engine that is able to roll back malicious actions. KESB also has self-defense mechanisms that can prevent its removal by cybercriminals.