Have you ever wondered how devastating a cyberattack could be for your enterprise? A recent study by Poneman determined that the average cost of a cyberattack increased to $3.86 million in 2018. Cyberattacks can range from simple phishing attacks to more advanced cryptomining and cryptojacking attacks. However, there's one commonality between all these attacks: known vulnerabilities that are exploited because patches were not applied promptly.
There's a saying that reinforces this, "Unpatched vulnerabilities are a hacker's best friend." Indeed, they are. According to statistics from CVE Details, the total number of vulnerabilities identified since 2017 is greater than the vulnerabilities found in the preceding five years (2012 through 2016). Unfortunately, the number of discovered vulnerabilities has been increasing every year, and this means IT departments need to be vigilant.
Failing to patch vulnerabilities leaves an organization’s IT infrastructure at risk. Here are the top five OS-based vulnerabilities that can lead to a cyberattack:
1. Remote code execution
Execute or modify command code remotely
Severity rating:* 4/5
What is remote code execution?
Remote code execution, also known as RCE, is a type of vulnerability that allows attackers to remotely run arbitrary code on vulnerable servers and workstations. Attackers can then perform actions to exploit other vulnerabilities. Remote code execution is the most common vulnerability found in software today, and it can lead to other attacks, including denial-of-service and elevation of privileges.
Why is it serious?
Remote code execution vulnerabilities are usually marked "critical" and should be patched immediately. A recent study on cyberattacks suggests that 90 percent of remote code attacks were associated with cryptomining.
Reports suggest that nearly 28 percent of vulnerabilities are remote code execution bugs. As an example, in March 2019, the Google Chrome Security Team found a highly critical bug being exploited by hackers. In fact, it was so critical that Google demanded it be patched immediately. Successful exploitation of that vulnerability would have caused arbitrary code execution on any affected client computer, potentially providing the hackers with control over the rest of the network.
Deny or degrade service to users
Severity rating: 4/5
What is denial-of-service?
Denial-of-service (DoS) is one of the major Microsoft STRIDE threats that make services like Windows and browsers unable to function regularly. There are two types of DoS vulnerabilities:
- a. Flood attacks
- b. Crash attacks
Flood attacks occur when a system receives too many requests, causing the services to slow down and eventually stop. Such attacks include buffer overflow attacks, ICMP attacks, and SYN flood attacks. Other DoS attacks simply exploit vulnerabilities that cause a system or a service to crash.
Why is it serious?
A DoS attack is designed to distract from other criminal activities, such as network infiltration and data theft. It can also be used to sneak malware onto a computer while the user is busy fighting off the DoS attack. Distributed denial-of-service (DDoS) is the same type of attack, but on a larger scale; a DDoS attack involves multiple compromised systems attempting to exploit the target from many directions at once.
One of the worst DDoS attacks occurred in February 2018 when GitHub was hit with a sudden onslaught of traffic that clocked in at 1.35 terabytes per second. The attack originated from more than a thousand different autonomous systems.
3. Elevation of privilege
Gain capabilities without proper authorization
Severity rating: 3/5
What is elevation of privilege?
Elevation of privilege, also known as privilege escalation or EoP, gives an attacker authorization permissions beyond those initially granted. In an EoP attack, a remote user executes commands to give an unauthorized user the rights of an administrator.
Why is it important?
Most cyberattacks combine elevation of privilege with other vulnerabilities like remote code execution.
Microsoft patched a critical elevation of privilege vulnerability in its Win32k component on March's Patch Tuesday. However, just a few days after releasing the fix, attackers started exploiting the bug by executing malicious code in the kernel mode, where the operating system's core components run.
4. Information disclosure
Expose sensitive information to unauthorized users
Severity rating: 3/5
What is information disclosure?
You've likely heard about the recent data breaches through which hackers captured the personal information of several top government officials. This type of attack, information disclosure, occurs when software bugs are exploited to obtain personal data stored in a computer's memory. Even when this personal data isn't used in an immediate attack, this data can serve as a key building block for a future cyberattack.
Microsoft announced a critical zero-day patch for Internet Explorer in February 2019 that addressed a boundary error that occurred while processing certain HTML content. This was an information disclosure vulnerability that, if successful, would have allowed attackers to access sensitive information.
Impersonate someone else to access sensitive information
Severity rating: 3/5
What is spoofing?
Spoofing is the process of impersonating someone by tampering with the authentication process using a username and password. Hackers can use spoofing to access personal information in a victim's account. Spoofing mostly occurs in applications that use the Chakra scripting engine, such as Microsoft's Internet Explorer and Edge.
How dangerous is spoofing?
Spoofing is often used to gain access to execute a larger cyberattack, like a man-in-the-middle attack that relies on eavesdropping and interception through the internet. It can also be used to carry out phishing attacks, which are scams to gain sensitive information from individuals or organizations.
A recent study shows that nearly 30,000 spoofing attacks occur every day.
How to stay protected
Our word of advice is to patch everything. However, that's often easier said than done.
Patching can be a tedious task, especially in an enterprise environment. With Patch Manager Plus, a complete patching solution from ManageEngine, you can gain complete control over your endpoints’ patches. This tool eases the pain of patch management by automating patch deployment. Try Patch Manager Plus free for 30 days and defend your enterprise from cyberthreats.
* Severity ratings were determined by a team of security experts at ManageEngine.