The digital transformation makes the task of reducing the attack surface more difficult, given the exponential growth of users, devices, systems, and third party applications that need to be updated. And as a consequence, the range of possible cyberthreats is considerably larger. The costs that these attacks suppose for businesses and users also add to the problem: it is estimated that by 2021 the cost of cybercrime will reach $6 trillion.
But as well as sharing a goal of making money, many of the most costly cyberincidents in the last few years have shared another characteristic: they have been made possible thanks to an unpatched vulnerability in an IT system.
In this article we’ve compiled some of the most infamous vulnerabilities and the problems they’ve caused for the IT systems where they’ve been found.
One of the most problematic vulnerabilities of the last year is one that affects Microsoft Server Message Block (SMB). It is called EternalBlue, and it was allegedly developed by the US National Security Agency (NSA). It came to light in April 2017, when the hacking group the Shadow Brokers revealed that the NSA was collecting vulnerabilities of this kind. And the list of attacks that have been made possible by this vulnerability is extensive.
The most famous use was WannaCry, which affected over 300,000 companies all over the world, and cost a total of around $4 billion. The malware NotPetya, which came to light just a month later, was able to get onto systems thanks to this vulnerability, stealing passwords in order to take control of the network that it accessed.
And we’re not just talking about ransomware: shortly after the WannaCry attacks, we started to see a piece of malware called Adylkuzz, which used EternalBlue to download a series of commands onto infected computers. These commands were then used to mine and extract cryptocurrencies.
Bad Rabbit, another ransomware, shared many elements of the code found in NotPetya. However, this time it exploited another vulnerability – also developed by the NSA and also in SMB – called EternalRomance. The attack mainly affected users in Eastern Europe and Russia.
At the start of this year, the Winter Olympics in Pyeongchang experienced a cyberattack. During the opening ceremony, attackers interfered with the Internet connection, the website of the games, and television services. In order to carry this out, those behind the attack made use of EternalRomance.
Recent cyberattack trends such as cryptojacking have taken advantage of these vulnerabilities to spread. The malware PyRoMine used EternalRomance to infect computers and use their CPU to mine the cryptocurrency Monero.
How could these attacks have been avoided? The answer is simple: there was a patch for these all vulnerabilities available months before the incidents. However, many organizations have trouble applying the right patches, or don’t have patching policies, which means that vulnerabilities of this kind may go unnoticed. What’s more, EternalBlue is still threatening unpatched systems
In 2017, cybercriminals used a vulnerability in the software Apache Struts to launch a piece of ransomware called Cerber. According to some sources, they made over $100,000 in Bitcoin thanks to this ransomware. And this wasn’t the only use of this vulnerability in Apache Struts.
Personal data breaches
Though ransomware and malware may be the most attention grabbing results of an unpatched vulnerability, they’re far from the only consequences. Some of the most serious exfiltrations of personal data have been a direct result of unpatched IT systems.
In 2017, the US company Equifax revealed that it had lost the personal data of over 145 million people, in one of the largest breaches of this kind in history. The cause of this breach? The same vulnerability in Apache Struts that had been used by Cerber. According to Equifax, the blame fell on an employee who didn’t apply the relevant patch – a patch that was available two months before the breach and would have been enough to stop it from happening.
This case is not the only one. The insurance company Nationwide Mutual Insurance agreed to a $5.5 million payout for a breach of the data of 1.27 million people in 2012 – a breach that was also made possible by a vulnerability in a web application for which a patch had been available three years before the incident.
The phone company Carphone Warehouse faced a £400,000 fine for a breach that it suffered in 2015, that was facilitated by a vulnerability in the version of WordPress that the company was using, which hadn’t been updated since 2009.
In fact, according to a study, over 80% of personal data breaches are the result of poor patch management. This means that a company can significantly reduce the risk of suffering this kind of incident by implementing an efficient patching policy.
One of the reasons that companies have trouble finding and applying relevant patches is a lack of resources and time. What’s more, a lot of the time it is difficult to prioritize which patches to apply first.
However, although here we have seen just a few examples, the fact is that the majority of attacks and exploits take advantage of outdated systems and third party applications, exploiting known vulnerabilities. Vulnerabilities that have an update available weeks, or even months before the breach.
With Panda Patch Management you can be sure of always having the most relevant patches installed. Patch Management automatically searches for necessary patches to keep the devices on your system safe, prioritizing the most urgent updates. This way you can avoid incidents, systematically reducing the attack surface created by vulnerabilities, applying critical updates immediately from the cloud console.