November 2, 2016

Protecting the Perimeter: Old Attacks Work Just as Well as New Ones

When we think about external threats to information security, often our first thoughts are of hacker attacks on the network perimeter—say, advanced persistent threats (APTs) targeting large companies and governments. One example is the compromise of the Equation Group with publication of some of the group's tools for breaching the network perimeter. But as it turns out, many of the exploits have been known for a long time, although the “cherry on the cake” was a zero-day vulnerability for SNMP services (with SNMP standing for “Security Not My Problem”). While we do not have a full list of the compromised exploits, we can start with the other end of the equation by evaluating the state of protection of corporate perimeters with the help of real-world vulnerability statistics.

One such study was presented at PHDays VI as part of Positive Research 2016. The sample spanned approximately 10,000 accessible addresses and 15,000 vulnerabilities over a two-year period (2014–2015). Note that these numbers include ONLY network perimeters with above-average security. Only companies with asset inventory and vulnerability management processes (which, in turn, enable collecting statistics) were included.

Let's start with the “sexiest” morsel from the published exploit pack: the SNMP 0-Day. Is this something to be worried about? Our study shows that the answer is “yes”. A few reasons:

  • Our analysis based on honeypot systems shows that SNMP services are very popular with would-be intruders. Many hackers are well aware of the availability of these services, and those who don't know yet need only Shodan to find out.
  • SNMP services are numerous and accessible on most modern network infrastructures. We have written previously how exploitation of SNMP vulnerabilities allows intruders to gain a foothold on the internal networks of telecom operators.
  • Many SNMP services are running on obsolete software. Our research showed that in the category of DNS/NTP/SNMP services, the vulnerability rate reaches one in ten:


Based on these statistics, we clearly see that the SNMP exploit is very dangerous and can be used to breach the network perimeter of many companies and organizations.

But there remains another interesting question. Why would the toolkit of the Equation Group, which has been described as a “full-fledged nation-state cyber-arsenal,” contain so many exploits for old vulnerabilities for which patches were issued over five years ago? If this hacker group is so amazing, shouldn't they be using new, unknown vulnerabilities?

The answer is paradoxically simple once we restate the question. Why should hacker groups waste their precious time on finding zero-days if many Internet-accessible systems have not been updated for years?

Our study showed that three quarters of all the vulnerabilities found were over one year old; 30% were over five years old. Almost one in ten vulnerabilities were fixed a whopping ten years ago! During the time period of our research, vulnerabilities were found on 37% of systems.


A successful attack does not require using the latest-and-greatest vulnerabilities. Old ones will do the job just as well and are cheaper too. And importantly, potentially drawing attention to an old vulnerability is a much easier choice for an attacker than risking a precious zero-day.

But so far we have been looking only at exploits in non-public packs. What about exploits for old vulnerabilities available publicly, such as from MSF? To answer this question, we selected vulnerabilities with a CVSS rating of “High” that were present at the beginning of the research period on the test systems. We then cross-referenced them with known exploit packs.


The data shows that the tested perimeters are vulnerable to publicly available exploits. However, this sample contains a very small number of vulnerabilities. Does this actually mean that there are not many of them? As mentioned above, the breakdown of vulnerabilities in the previous figure reflects only the start of the study period, even though perimeter security is constantly in flux. The following charts show the change in security level over two years:


To summarize: breaching network perimeters with above-average security does not require non-public exploits, much less secret zero-days by APT groups. Standard tools and basic knowledge are more than enough in many cases.

How to stay protected

Based on our findings, we propose several main points for increasing the overall level of protection of the network perimeter:
  1. Constant monitoring of the network perimeter, resulting in timely awareness of the services that are on the perimeter and Internet-accessible.
  2. Automated search for vulnerabilities in perimeter services, resulting in identification and eventual elimination of vulnerabilities.
  3. Removal of services from the perimeter when there is no compelling need for them. These services may include NTP, SNMP, database management, administration interfaces, and other potentially dangerous services.
  4. Implementation of a patch management policy, prioritizing systems with vulnerabilities for which exploits are publicly available as well as the most vulnerable systems. Remaining systems should be updated based on vulnerability and system criticality priorities.
  5. A comprehensive approach to information security. Protecting the network perimeter is a vital part of security, but the perimeter is by no means the only vector for intruders to gain access to company infrastructure.
Read the full version of our report on Corporate Perimeter Protection here: https://www.ptsecurity.com/upload/iblock/9db/network_perimeter_eng.pdf

No comments:

Post a Comment