Enterprise ransomware threat shines spotlight on poor patch management

News by Davey Winder

Vulnerability scores from 2007 don't adequately measure risk in 2019; 31.5% of vulnerabilities exploited by ransomware could have been patched from 2015 or earlier but they're used as they're still successful;

Newly published research into the enterprise ransomware threatscape reveals the most common vulnerabilities being used to target businesses and government organisations. Worryingly, nearly a third of these have had patches available since 2015 or earlier. 

The RiskSense 'Enterprise Ransomware Through the Lens of Threat and Vulnerability Management' report  analysed the most common vulnerabilities being used by those threat actors targeting enterprises and government organisations with ransomware. While consumer ransomware attacks tend to exploit common Windows vulnerabilities, enterprise ransomware is a very different beast: 63 percent of the ransomware families analysed targeted high-value assets like servers, application servers, and collaboration tools while 52 percent of the vulnerabilities involved were not rated critical but had CVSS v2 scores lower than 8.

Some of the trending vulnerabilities had scores as low as 2.6, which puts enterprises that patch according to criticality ratings at greater risk of falling victim to ransomware. The standout statistic, however, is that nearly a third (31.5  percent) were old vulnerabilities; ones that could have been patched and put to bed from 2015 or earlier.

One example of this is the 'MS17-010' vulnerabilities that are best known for being used by the EternalBlue exploit and WannaCry ransomware. These wormable vulnerabilities are still being exploited by multiple ransomware families today. "The fact that they continue to trend in the wild and are being used by the most recent and damaging families of ransomware," the report states, "are clear signs that many organisations still have not patched them."

Eoin Keary, CEO of edgescan, told SC media UK that "there are still CVE’s from 2006 still in the wild; this is a hygiene issue, organisations are not applying patches or maintaining system configuration." edgescan research found 81.5 percent of all systems had one CVE, and 72 percent of systems had more than one; 20 percent of systems had more than 10 CVE’s. "In 2018, over a year after the event, 5.23 percent of all discovered high and critical vulnerabilities discovered related to exposure to NotPetya, Wannacry and Eternalblue CVE’s," Keary concludes. 

Srinivas Mukkamala, CEO of RiskSense, said that while not altogether unexpected, "the fact that older vulnerabilities and those with lower severity scores are being exploited by ransomware illustrates how easy it is for organisations to miss important vulnerabilities if they lack real-world threat context."

What does this combination of low CVSS rating and longevity of vulnerabilities say about the state of enterprise security today? As far as CVSS v2 is concerned, Tim Erlin, VP at Tripwire, points out that it's designed to give higher scores to network exploitable vulnerabilities rather than the email or user interaction routes preferred by ransomware. "It's not surprising that a vulnerability score designed for 2007 doesn't adequately measure risk in 2019," Erline told SC Media UK.

Javvad Malik, security awareness advocate at KnowBe4, is equally unsurprised. "CVEs have been a poor indicator overall as to what companies should be focusing on in terms of addressing threats," Malik says, "the main take away from this is that companies should not rely solely on external sources of information and rely on their own internal data for threat intelligence so that they invest in security controls in the right proportion to the risk they actually face."

As far as the patching problem, and the prevalence of old vulnerabilities, Chris Doman, a researcher at AT&T Alien Labs, told SC Media UK that "the most effective exploits quickly proliferate between a number of criminal and nation state groups with some remaining popular for a number of years after their initial discovery," because "people don't patch." And, as Tim Mackey, principal security strategist at Synopsys CyRC (Cybersecurity Research Center), says, "we found that of the commercial applications analysed, 60 percent contained at least one unpatched vulnerability and that 43 percent were composed of an open source component released over ten years prior." Or to sum it up in the fewest words possible, "attackers continue to use old vulnerabilities precisely because they continue to be successful," as Jonny Milliken, the research team manager at Alert Logic, says.

When it comes to ransomware mitigation advice for the enterprise, they should prevent the preventable. That's the sage advice from Sam Curry, chief security officer at Cybereason. "However, that’s not enough," Curry says, "enterprises should look to have the ability to recover and be resilient. Anti fragility is key, and that’s about more than prevention, it’s detection, segmentation, it’s back up, it’s redundancy and it’s recovery." Martin Jartelius, CSO at Outpost24 agrees that "preventive measures, such as reviewing vulnerabilities on servers, segmentation and reviewing user access rights, are easy to suggest but evidentially harder to implement." According to Jartelius, endpoint hardening is a cheaper and easier starting point.

"Should the worst case happen, it’s about ensuring you can recover quickly," Gavin Millard, VP of intelligence at Tenable says, "this means identifying the data and systems that are critical for your organisation to continue to function. If they can’t be protected, ensure you have a robust non-attached backup solution that’s stored security." Bindu Sundaresan, a director at AT&T Cybersecurity, also says that time is of the essence. "As soon as ransomware is detected in your environment, you must move swiftly to contain the threat and to prevent it from proliferating across your environment," she says, adding that if done manually, or across disparate systems, or even outside of working hours, "your response effort may be delayed or too slow to contain the attack."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews