Attackers Scanning Within 15 Minutes of Zero-Day Disclosures

If your system administrators thought they had some breathing room between the time zero-day vulnerabilities are first announced and when they need to have mitigations in place, they thought wrong. A fresh study on the topic found that threat actors now begin scanning for vulnerable systems within 15 minutes of disclosure of new Common Vulnerabilities and Exposures (CVEs).

This is according to research conducted by Palo Alto's Unit 42 Incident Response Report released this year; Unit 42 found that hackers keep a close eye on software vendor bulletins and other vulnerability information sources and are ready to pounce extremely soon—leveraging such vulnerabilities to gain initial access to networks or to execute remote code on particular target users’ systems.


Attackers’ speedy incorporation of new vulnerabilities into their attack chains places a heavy burden on system administrators and security teams, as they are generally responsible for implementing vulnerability mitigations such as patching or, if patches are not yet available, adding defensive measures to prevent intrusions. In a related blog post, Unit 42 stated, "The 2022 Attack Surface Management Threat Report found that attackers typically start scanning for vulnerabilities within 15 minutes of a CVE being announced.”



Due to the low level of skill required to perform vulnerability scanning, even unskilled threat actors are able to scan many resources across the Internet. Many of these unskilled actors then make a profit by selling their findings on the markets available on the dark web; more skilled attackers then use the vulnerability information to save time in identifying targets and they can focus on exploiting them.


According to the research reported, the initial wave of exploitation attempts follows the vulnerability detection scans within hours--hitting systems before defenders have been able to deploy patches. For example, Unit 42 noticed that for CVE-2022-1388, which is a critical unauthenticated remote command execution vulnerability in F5 BIG-IP products, the vulnerability was announced 4 May, 2022, and within ten hours Palo Alto had recorded more than 2,500 attempts at scanning and exploiting systems.



In this race between attackers and defenders the time constraints on both sides continues to increase. With pressure mounting for all defenders, it is increasingly important to restrict as many systems and applications from public Internet access as possible, making use of source address allowlisting, secure remote access technologies, and inventory management solutions to reduce the number of exploitable systems—and the open ports, protocols, and services on all systems—and increase the speed at which patches can be deployed. Organizations should bear in mind that while patching can require some system downtime and can push out time-to-completion for other projects, it is far better than the consequences of a breach.


Dedicated security solutions designed to leverage machine learning, artificial intelligence, and expert knowledge to identify unusual activity at the kernel level and correlate activity between systems can stop what could have turned into an organization-crippling attack into a minor nuisance as well. Critically, creating and maintaining a robust security program—based on a well-accepted standard—is the foundation on which the other security measures must be built to avoid the decay of capabilities and drifting of scope that can leave even the world’s most sophisticated organizations with invisible vulnerabilities.


Webcheck Security’s team of expert consultants can streamline your security program design and implementation, identify the most effective and yet affordable security solutions, and guide your internal stakeholders on their journey toward security maturity. Contact us today for a free discussion of how we can best serve you.

5 views0 comments