Many global500 and fortune500 companies still vulnerable to known critical vulnerabilities

Since a few months now, cyber criminals are targeting vulnerabilities in VPN appliances from major brands to compromise and deploy ransomware on affected companies.

As we spoke about in a previous blog post, we are checking those vulnerabilities at Internet scale to help our customers find and fix their assets before the bad guys exploit them, eventually costing millions to recover.

In this blog post, we will introduce our new tagging capability which allows us the find all vulnerable global500 and fortune500 companies in a matter of an API query.

 

  1. Vulnerabilities we are able to detect

Today, we are checking 7 critical vulnerabilities. These vulnerabilities are exploitable remotely from the network with no user interaction and without any authentication required. They allow to perform remote code execution on affected targets and that is why cyber crooks love them.

Here is the list of CVE we are checking for:

 

Proportion of impacted devices by CVE

 

2. Introducing the fortune500 and global500 tags

Since August 22nd, we added lookup capabilities to our scanning engine. We have built a comprehensive inventory of fortune500 and global500 companies. Each time we receive an application response with a domain name set (example: adobe.com), we add tags when a match is found.

Searching using tag:global500 filter within category:vulnscan
Tag cloud for vulnerable companies

As you can see from the tag cloud, the most prevalent vulnerability found on big companies is the one impacting Cisco ASA (CVE-2020-3452). But what is worrying to us is the fact that some companies still have critical vulnerabilities on their Citrix Gateway, FortiNet FortiGate, SAP Netweaver Application Server or PulseSecure Pulse Connect Secure devices.

Also, you may note that no company is impacted by the #ghostcat or F5 Networks BIGIP vulnerabilities.

3. How many of these companies are impacted?

To count how many of them are vulnerable is not a direct and unique query. We can count either on the number of unique IP addresses or on the number of unique domains. However, a company can have multiple domains. According to our datasets, a correct guess is around 2 domains per company.

Furthermore, a company can use multiple device brands and thus may be counted multiple times when you do the math by counting on the below figures. So, from the following figures, simply divide by 2 to have an estimated guess of how many fortune500 and global500 companies are impacted for each vulnerability.

 

3.1. Cisco ASA devices

Around 180 companies impacted

3.2. SAP Netweaver Application Server

Around 30 companies impacted

3.3. Citrix Gateway

Around 8 companies impacted

3.4. PulseSecure Pulse Connect Secure

Around 3 companies impacted

3.5. Fortinet FortiGate

Only 1 company impacted

As our data shows, around 200 of the biggest companies are still impacted by critical known vulnerabilities with patches available. When you remove duplicates between fortune500 and global500, there is a total of 881 companies.

In the end, it is more than 20% of big companies which have known critical vulnerabilities, that is more than 1 company out of 5.

 

4. How to verify you are not impacted

Customers having an “Eagle View” subscription can check by themselves. This is the only subscription-level that allows querying the vulnscan category of information. Other Entreprise-level subscriptions do not give access to such data.

To avoid our online payment service to be exploited by malicious actors to fetch this sensitive information, we only sell Eagle Views after proper human interaction and validation that a true legitimate company lies behind the subscription request.

To check you are not vulnerable is as easy as running an API query against the current week if executed on Thursdays (scans are launched every Wednesdays) or querying against the previous week when executed on Mondays:

category:vulnscan -exists:cve domain:onyphe.io -weekago:0

Of course, you can also use the Alert API or script your queries using the Search API.

Conclusion

These vulnerabilities are massively exploited on the Internet. You don’t want to be the next big company falling for an unpatched VPN endpoint, losing millions, and losing your CEO job too. Contact us at sales[at]onyphe dot io for a demo.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.