Hackers scan for vulnerable devices minutes after bug disclosure

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being.

Hackers scan the internet every hour for vulnerable devices

Every hour, a threat actor starts a new scan on the public web for vulnerable systems, moving at a quicker pace than global enterprises when trying to identify serious vulnerabilities on their networks.

The adversaries’ efforts increase significantly when critical vulnerabilities emerge, with new internet-wide scans happening within minutes from the disclosure.

Mind the gap

Attackers are tireless in their quest for new victims and strive to win the race to patched vulnerable systems. While companies strive to identify issues on their networks before it’s too late, they move at a much lower rate.

The data comes from the Palo Alto Networks Cortex Xpanse research team, who between January and March this year monitored scans from 50 million IP addresses of 50 global enterprises, some of them in Fortune 500.

The researchers found that companies take an average of 12 hours to find a new, serious vulnerability. Almost a third of all identified issues related to the Remote Desktop Protocol, a common target for ransomware actors as they can use it to gain admin access to servers.

Misconfigured database servers, zero-day vulnerabilities in critical products from vendors like Microsoft and F5, and insecure remote access (Telnet, SNMP, VNC) complete the list of high-priority flaws.

According to Palo Alto Networks, companies identified one such issue every 12 hours, in stark contrast with the threat actors’ mean time to inventory of just one hour.

In some cases, though, adversaries increased the scan frequency to 15 minutes when news emerged about a remotely exploitable, critical bug in a networking device; and the rate dropped to five minutes after the disclosure of the ProxyLogon bugs in Microsoft Exchange Server and Outlook Web Access (OWA) issues.

Palo Alto Networks recommends security teams look at the following list of services and systems to limit the attack surface.

The researchers note that they compiled the list based on two principles: certain things should not be exposed to the public web (bad protocols, admin portals, VPNs) and secure assets may become vulnerable over time.

  1. Remote access services (e.g., RDP, VNC, TeamViewer)
  2. Insecure file sharing/exchange services (e.g.,…