A new report from cybersecurity company Randori has categorized the most tempting internet-exposed assets that an attacker is likely to go after and exploit, finding that one in 15 organizations currently runs a version of SolarWinds that is known to be actively exploited.
In the 2021 Randori Attack Surface Report, researchers assigned each asset with a "Temptation Score" -- effectively the likelihood an attacker will go after it. Any exposed asset with a score over 30 is considered to be high, with the highest-ranking assets currently within their corpus reaching an attacker Temptation Score of 55. The version of SolarWinds being actively exploited have an average Temptation Score of 40.
The report found that more than 25% of organizations have RDP exposed to the internet, while 15% of organizations are still running outdated versions of IIS 6, which Microsoft hasn't supported for six years. Randori gave the IIS 6 a Temptation Score of 37.
Nearly 40% of organizations use Cisco's Adaptive Security Appliance (ASA) firewall, which has a history of public vulnerabilities and a Temptation Score of 37. Almost half of all organizations run Citrix NetScaler, which has a score of 33 and multiple public exploits.
Both CiscoWeb VPN and Palo Alto Global Protect joined Citrix NetScaler as VPNs listed in the report with high Temptation Scores.
Just 3% of organizations are still running versions of Microsoft Outlook Web Access, but this alarmed Randori researchers, who noted the recent Exchange hacks and several known exploits for the tool. It was one of the highest on the Temptation Score scale at 38.
"Many of the exposed assets -- like SolarWinds and OWA -- are there because of ignorance, not negligence. Organizations struggle to know what they have been exposed to on the internet. Cloud migration and the work-from-home boom dramatically increased the number of exposed assets -- but it is possible to deploy security measures to help you secure the unknown," David Wolpoff, CTO of Randori, told ZDNet.
The report notes that the SolarWinds issue ranked high in the report because it has publicly disclosed vulnerabilities, it is a mission-critical technology for many businesses, and it is widely used.
"Many assume prioritizing based on vulnerability severity will keep you safe. But that's simply not true. Attackers think differently, and vulnerability severity is just one of many factors weighed by an attacker. Our hope with releasing this report is that people will get deeper into the attacker's mindset, apply attacker logic to their security programs, and get one step ahead," Wolpoff said.
Wolpoff explained that the report is based on attack surface data from millions of internet-exposed assets and noted that The Temptation Score applies a proprietary weighting of six different attributes to determine the Temptation Score of an asset: enumerability, exploitability, criticality, applicability, post-exploitation potential, and research potential.
Wolpoff said he is continually surprised to see that low effort, easy-to-break-in attacks still work at successful enterprises -- like exploitable OWA.
"What strikes me is the lack of focus on the basics, like hardening the default configurations or seeing default settings that contain admin/admin as the username and password. The number of times that the default username and password 'admin/admin' has gotten us into boxes is extremely surprising," Wolpoff said.
"For example, many enterprises are running old Microsoft OWA with the default settings -- exposing the name, version, and, better yet, configuration information! The more an attacker knows about a system, the more tempting it is -- it makes it easier for an attacker to cross-check to see if there are any known public vulnerabilities or exploits weaponized against that specific version and to confirm if an exploit will land."
He was also shocked by the high percentage of people not using MFA. He explained that his attack team often successfully conducts an attack with previously disclosed credentials because MFA wasn't deployed.
Wolpoff suggested security teams always change the default settings so the version number isn't publicly visible, noting that if enterprises are unable to patch or upgrade a tool, they should at least hide it.
He urged security teams to find ways to reduce their attack surfaces by taking things offline or disabling functionalities that go unused. It is no longer appropriate for organizations to settle for the configuration the manufacturer sets as default, and Wolpoff added that enterprises should segment critical assets as well as appliance and IoT devices.