Since a few months now, cyber criminals are targeting vulnerabilities in VPN appliances from major brands to compromise and deploy ransomware on affected companies.
As we spoke about in a previous blog post, we are checking those vulnerabilities at Internet scale to help our customers find and fix their assets before the bad guys exploit them, eventually costing millions to recover.
Vulnerabilities we are able to detect
Today, we are checking 7 critical vulnerabilities. These vulnerabilities are exploitable remotely from the network with no user interaction and without any authentication required. They allow to perform remote code execution on affected targets and that is why cyber crooks love them.
Here is the list of CVE we are checking for:
- CVE-2018-13379: affects FortiNet FortiGate
- CVE-2019-11510: affects PulseSecure Pulse Connect Secure
- CVE-2019-19781: affects Citrix Gateway (dubbed #shitrix)
- CVE-2020-1938: affects Apache Tomcat (dubbed #ghostcat)
- CVE-2020-3452: affects Cisco ASA
- CVE-2020-5902: affects F5 Networks BIGIP
- CVE-2020-6287: affects SAP Netweaver Application Server Java (dubbed #recon)
- CVE-2020-14882: affects Oracle Weblogic servers (note: added on 2020-11-10 and not used during the writing of this article)
2. Introducing the fortune500 and global500 tags
Since August 22nd, we added lookup capabilities to our scanning engine. We have built a comprehensive inventory of fortune500 and global500 companies. Each time we receive an application response with a domain name set (example: adobe.com), we add tags when a match is found.
As you can see from the tag cloud, the most prevalent vulnerability found on big companies is the one impacting Cisco ASA (CVE-2020-3452). But what is worrying to us is the fact that some companies still have critical vulnerabilities on their Citrix Gateway, FortiNet FortiGate, SAP Netweaver Application Server or PulseSecure Pulse Connect Secure devices.
Also, you may note that no company is impacted by the #ghostcat or F5 Networks BIGIP vulnerabilities.
3. How many of these companies are impacted?
To count how many of them are vulnerable is not a direct and unique query. We can count either on the number of unique IP addresses or on the number of unique domains. However, a company can have multiple domains. According to our datasets, a correct guess is around 2 domains per company.
Furthermore, a company can use multiple device brands and thus may be counted multiple times when you do the math by counting on the below figures. So, from the following figures, simply divide by 2 to have an estimated guess of how many fortune500 and global500 companies are impacted for each vulnerability.
3.1. Cisco ASA devices
3.2. SAP Netweaver Application Server
3.3. Citrix Gateway
3.4. PulseSecure Pulse Connect Secure
3.5. Fortinet FortiGate
As our data shows, around 200 of the biggest companies are still impacted by critical known vulnerabilities with patches available. When you remove duplicates between fortune500 and global500, there is a total of 881 companies.
In the end, it is more than 20% of big companies which have known critical vulnerabilities, that is more than 1 company out of 5.
4. How to verify you are not impacted
Customers having an “Eagle View” subscription can check by themselves. This is the only subscription-level that allows querying the vulnscan category of information. Other Entreprise-level subscriptions do not give access to such data.
To avoid our online payment service to be exploited by malicious actors to fetch this sensitive information, we only sell Eagle Views after proper human interaction and validation that a true legitimate company lies behind the subscription request.
To check you are not vulnerable is as easy as running an API query against the current week if executed on Thursdays (scans are launched every Wednesdays) or querying against the previous week when executed on Mondays:
These vulnerabilities are massively exploited on the Internet. You don’t want to be the next big company falling for an unpatched VPN endpoint, losing millions, and losing your CEO job too. Contact us at sales[at]onyphe dot io for a demo.