Sharp spike in attacks on unpatched Microsoft, VMware systems

Researchers at Campbell, California-based cybersecurity organisation, Barracuda Networks have found multiple attacks that targeted unpatched software vulnerabilities in Microsoft and VMware platforms, the company said in a blog post.

Patches for software and operating systems refer to updates that are released to address security vulnerabilities within a program or product.   

The exact number of times the Barracuda systems detected these attack probes were not disclosed.  

Barracuda Researchers closed down on one particular Microsoft Vulnerability called Hafnium, which was first disclosed in March 2021.  

Hafnium is classified as a server-side request forgery vulnerability, which allows the attacker to send HTTP requests and authenticate as the Microsoft Exchange Server (the mail and calendar server).  

The Hafnium vulnerability was used to gain access and perform further exploitation such as dropping webshells into exploited systems.  

Webshells refers to a piece of script or code running on a server that provides for remote administration of the infected system. 

“Attackers understand that defenders don’t always have the time or bandwidth to keep up with patches all the time, and things slide—providing them with an easy way into the network,” Murali Urs, Country Manager-Barracuda Networks said.  

Separately, for VMWare, cybercriminals were seen to be trying to exploit two patches, codenamed as CVE-2021- 21972 and CVE-2021-21973, both of which were released on February 24, 2021.  

Patterns of attack

The researchers said that the bots have now shifted to a work week pattern, where the hackers take the weekend off, and might run automated tasks over the weekends. 

The reason for this is that attacking less used systems on weekends puts them at an increased risk of capture.  

Also read: Akamai outage takes down large chunk of internet, now fixed 

Some of the common attack types include reconnaissance or fuzzing, which is actually a quality assurance technique used to discover coding errors and security loopholes, but is now being used by cybercriminals.  

Another type is attacks against specific vulnerabilities of applications, with the most popular app being targeted being open-source content management system Wordpress.  

“The remaining attacks were at more or less the expected levels, with no specific attack patterns to be called out in the different categories,” the company said.  

Barracuda also researched the levels of HTTPS traffic and found a silver lining in the sense that the most secure protocols, I.e.  TLS1.3 and TLS1.2 were in use by most systems.  

“Organisations should look for a WAAP (Web Application and API Protection services) solution that includes bot mitigation, DDoS protection, API security, and credential stuffing protection To gain protection against automated attacks,” Barracuda’s Urs added.