The rapid exploitation of vulnerabilities poses a growing threat to businesses worldwide. Attackers are increasingly agile in converting discovered flaws into successful attacks. The ScreenConnect incidents (CVE-2024-1708 and CVE-2024-1709) serve as a cautionary tale, underscoring the potential consequences of delayed response to vulnerabilities.
On 19 February 2024, software firm ConnectWise alerted its clients to two critical vulnerabilities impacting on-premise versions of its remote management tool, ScreenConnect (versions 23.9.7 and earlier). These vulnerabilities enabled attackers to circumvent authentication measures, allowing them to create administrative-level accounts with full system administrator privileges. With a maximum CVSS score of 10, the exploit could be used to carry out malicious activities, including ransomware attacks and the deployment of additional remote access tools.
In a worrying development, Kroll’s incident response team observed that the majority of their ScreenConnect cases had an initial access date of 21 February, indicating that threat actors were exploiting the vulnerabilities within less than 48 hours of the original announcement. This rapid exploitation highlights the increasing efficiency and preparedness of attackers. The range of threat actors leveraging these vulnerabilities was broad, demonstrating the wide appeal and accessibility of such exploits.
The company has since released a patch in version 23.9.8, urging all on-premise users to upgrade immediately. Cloud-hosted instances were automatically patched, and licence restrictions were lifted to ensure all users could apply the patch.
Publicly available data from renowned security vendors indicates that the time taken to exploit vulnerabilities has been steadily declining for some time. Rapid exploitation leaves organisations with a diminishing window to defend against potential threats, underlining the critical need for swift and proactive security measures.
It has identified a worrying trend in the exploitation of high-risk vulnerabilities.Their 2023 analysis reveals that the mean time to exploit vulnerabilities is approximately 44 days. However, this average masks the true urgency of the situation, with many vulnerabilities being exploited almost immediately after disclosure. In fact, it found that 25% of vulnerabilities were exploited on the day they were published, highlighting a significant shift in attacker tactics.
Mandiant’s research further supports this trend, noting that the average Time-to-Exploit (TTE) decreased to 32 days in 2021-2022, down from 44 days in 2020 and 63 days in 2018-2019. This shrinking window of opportunity for defenders presents a formidable challenge. It also observed that 51% of vulnerabilities first disclosed in 2021 and 2022 eventually had publicly available exploit code, which often accelerates the exploitation process.
Publicly available exploit code is a double-edged sword. While it assists defenders in understanding and mitigating vulnerabilities, it also provides a blueprint for less experienced attackers to exploit these weaknesses. This dual nature underscores the urgency for organisations to respond swiftly and decisively to vulnerability disclosures.
Attackers target a wide range of systems and applications, including PaperCut NG, MOVEit Transfer, various Windows operating systems, Google Chrome, Atlassian Confluence, and Apache ActiveMQ. This diversity highlights the vulnerability of all applications to determined attackers. Notably, 32.5% of 206 high-risk vulnerabilities identified in 2023 affected networking infrastructure or web applications – areas traditionally challenging to secure using conventional methods.
Push Button Pentesting (PBP) marks a significant evolution in penetration testing practice, offering a dynamic and efficient alternative blending of several critical components - vulnerability scanning, simulated attacks, social engineering and comprehensive reporting - into a cohesive ongoing sequential process.
At its core, PBP automates and perpetuates the cycle of identifying and addressing security weaknesses within an organisation’s digital infrastructure. PBP brings important advantages for its users, including:
🔎 Identification of vulnerabilities in real-time; the ongoing process not only ensures comprehensive coverage of the entire network and system infrastructure but also brings consistency and standardisation to the testing process.
💶 Automation brings cost-efficiencies; it reduces the need for frequent manual testing, which can be resource-intensive and, by minimising human intervention, PBP lowers the risk of errors that can occur in manual processes.
📈 Scalability; as organisations grow and their network infrastructures become more complex, PBP adapts accordingly through fingerprinting, ensuring that new infrastructure components are continually assessed for vulnerabilities.
📋 Compliance; many industries are governed by regulations that mandate regular security assessments. PBP streamlines this process, making it easier for organisations to adhere to these requirements consistently.
Hackurity is redesigning cybersecurity through its unique and innovative concept of Push Button Pentesting. By fully automating the discovery and exploitation of vulnerabilities, Hackurity is that all-important extra pair of hands for your IT team, contextualising risks in a unified repository, streamlining remediation.
Headquartered in the Netherlands and developed by pentesters, Hackurity provides enterprise security solutions to businesses around the world, small and large.
Hackurity.io
Blaak 520
3011TA Rotterdam
The Netherlands
