Contents:
Using the Shodan database, IT security researchers were able to track down 15 million vulnerable systems with vulnerabilities from the US cyber security authority CISA’s Known-Exploited-Vulnerabilities-Catalog (KEV). When KEV vulnerabilities are discovered, updates are usually available from the software manufacturer to fix them.
It is very concerning that these machines did not patch the relevant published updates for years even though a patch was released, and these vulnerabilities are known to be exploited in the wild.
The IT researchers from Rezilion leveraged the KEV catalog of known vulnerabilities exploited by malicious actors to search Shodan for vulnerable services. While Shodan yields data from scans of the Internet, encompassing info such as active services and their versions, these are ultimately snapshots in time and not real-time data.
Further Analysis
The CISA-KEV catalogue contained 896 known abused security vulnerabilities when the researchers conducted their investigation. This was a small fraction of the vulnerabilities reported in the NIST-CVE database – less than one percent – and, in their report, the researchers detail that attackers and APTs from Russia, Iran, China and North Korea are particularly taking advantage of these security issues. The report also states that most usually these vulnerabilities are exploited in Microsoft Windows, Adobe Flash Player, Internet Explorer, Chromium V8 Javascript engine, Microsoft Office, Microsoft Win32k, Google Chrome, Apple iOS and Cisco IOS and IOS XE.
IT researchers detected over 15 million publicly facing systems with vulnerable software from the CVE catalog. A majority of these were Microsoft Windows devices vulnerable to 137 CVEs – and this group had the largest attack surface at seven million systems. Of the ten most discovered CVEs in Shodan, 4 in 10 were over five years old – which left more than 800,000 systems exposed to these aging vulnerabilities.
According to BleepingComputer, some notable CVEs from the Rezilion report are:
- CVE-2021-40438: medium-severity information disclosure flaw appearing in almost 6.5 million results, impacting Apache HTTPD servers v2.4.48 and older.
- Proxyshell: a set of three vulnerabilities impacting Microsoft Exchange, which Iranian APTs chained together for remote code execution attacks in 2021. Shodan returns 14,554 results today.
- ProxyLogon: a set of four flaws impacting Microsoft Exchange, which Russian hackers extensively leveraged in 2021 against U.S. infrastructure. There are still 4,990 systems vulnerable to ProxyLogon, with 584 located in the U.S.
- HeartBleed (CVE-2014-0160): medium-severity flaw impacting OpenSSL, allowing attackers to leak sensitive information from a process memory. 190,446 are still vulnerable to this flaw.
CISA regularly updates its Known-Exploited-Vulnerabilities catalogue, and all IT specialists should monitor it to ensure vulnerable software is patched or switches are made for protection against possible attacks. For example, back in February CISA issued an alert regarding a weakness in GoAnywhere MFT, vulnerability that left numerous organizations exposed to the Clop ransomware gang.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.