Hackers started scanning for vulnerable Exchange servers minutes after patches were released

Hacker/security
(Image credit: TheDigitalArtist / Pixabay)

Cybersecurity experts report that threat actors started scanning the Internet for vulnerable Microsoft Exchange servers within five minutes of the company recently disclosing now-patched ProxyLogon zero-day flaws.

Security researchers from Palo Alto Networks’ Cortex Xpanse team monitored the activities of attackers throughout Q1 2021, examining threat data from some 50 million IP addresses belonging to 50 different organizations.

The team followed a benchmark known as the “mean time to inventory” (MTTI) in order to determine the amount of time it takes for threat actors to initiate scanning for vulnerabilities after they are publicly disclosed.

TechRadar needs you!

We're looking at how our readers use VPN for a forthcoming in-depth report. We'd love to hear your thoughts in the survey below. It won't take more than 60 seconds of your time.

>> Click here to start the survey in a new window<<

"When an exploit is published, the time from then until when we start to see follow-on scanning spike in volume is now just minutes," shared Dr. Tim Junio, Senior Vice President, Cortex, Palo Alto Networks speaking to ITProToday.

Rapid fire attacks

The researchers have detailed their observations in a report, where they note that most adversarial scans in Q1 2021 began between 15 and 60 minutes after the announcement of Common Vulnerabilities and Exposures (CVEs). 

However, on March 2, 2021, they noticed that threat actors started scanning for vulnerable Exchange email servers in less than five minutes after Microsoft’s disclosure of the three ProxyLogin vulnerabilities.

The Cortex researchers note that what further aggravates the situation is the fact that it takes a surprisingly little amount of time to scan the entire Internet. Instead of weeks or months, threat actors can now communicate with every public-facing IP in the IPv4 address space in less than an hour.

More worryingly, in the report, they add that thanks to the power of cloud computing, such a scan can be run from a server than can be rented for as little as $10.

On the other hand, the researchers also note that enterprises tend to take an average of twelve hours to detect vulnerable systems. The fastest times it took organizations to patch their Exchange servers, as observed by the researchers, was in days, with several large businesses taking a few weeks to patch the vulnerabilities.

Via ITProToday

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.