Less than an Hour of Vulnerability is Enough for Cybercriminals to Succeed in Their Attacks

A couple of years ago, the United States Government Accountability Office released a report revealing that hackers can break into US weapon systems with minimal time required. “In one case, it took a two-person test team just one hour to gain initial access to a weapon system and one day to gain full control of the system they were testing,” the report wrote.

Unfortunately, this alarming revelation failed to get the response it deserved. Government institutions and private organizations have not exerted the extra effort and investment to improve their cybersecurity posture. Some continue to be cavalier with the way they defend against cyber attacks.

Recent high-profile incidents such as the SolarWinds, Colonial Pipeline, CNA Insurance, and the Florida Water Supply attacks prove that vulnerabilities can exist in all kinds of organizations and cybercriminals are hell-bent on taking advantage of these. In some cases, the attacks take a long time but in others, successful penetration of cyber defenses can happen in less than an hour.

Successful cyberattacks in under an hour

A newly identified cybercrime group called SnapMC was reported in early October to pose an alarming threat to organizations worldwide. This group is said to be capable of rapid extortion attacks without using any ransomware. The full attack cycle can be completed in thirty minutes or less.

The attack takes advantage of vulnerabilities in unpatched VPNs and web server apps. As Threat Post describes it, victims fall prey to a “quick-hit extortion in less time than it takes to order a pizza.” The breach allows the attacker to steal sensitive data and demand a ransom in exchange for not publicizing the critical information. Blatantly straightforward extortion, this low-tech attack works because many organizations still do not pay that much attention to strengthening their cybersecurity.

It is important to highlight the duration of the consummation of the attack because it shows that even organizations with “decent” cybersecurity posture, including security validation, can still end up falling for these rapid extortion attacks. The best way to deal with these risks is to make sure that the right security controls are in place and that they are tested continuously. Continuous security validation is vital to a reliable security posture as it ensures that vulnerabilities are spotted and addressed before they are exploited.

As mentioned, the SnapMC group exploits vulnerabilities in webserver and VPN applications, which are quite commonplace nowadays. Organizations that validate their security controls only periodically or every once in a while will inevitably have periods of vulnerability. These periods could be a day, a week, or even months since security testing is not continuous, so organizations are unaware if they are already having cracks in their defenses.

The human factor in security weakness

Security weaknesses are often considered the biggest factor in persistent cybersecurity weaknesses. Experienced cybersecurity expert Mus Huseyin says that the biggest threat to cybersecurity lies within the company: people. This point is virtually impossible to contradict. Almost all cases of successful cyber attacks can be traced to carelessness, the error of omission, naivete, and other weaknesses of the people responsible for the cybersecurity posture of an organization.

A recent study about passwords by Safety.com suggests that passwords could be hacked in under an hour. This is because most computer or web-enabled device owners do not take password setting and account protection seriously.

According to the study, 67.3 percent use passwords that are eight characters long or fewer. People in the 25 to 55 age bracket, or those who use digital devices and the internet most often, are the ones who tend to use the shortest passwords. Short passwords are unsurprisingly easier to predict, especially when they are not random and composed of combinations of alphanumeric characters with different cases and symbols.

Additionally, many still refuse to use multi-factor authentication (MFA) in securing their accounts. At some point, around 90 percent of Gmail users still failed to take advantage of MFA, which has compelled Google to make it compulsory. Twitter users are also known to be unbothered by multi-factor authentication. 

When it comes to enterprises, the tendency to use weak passwords, ignore MFA and wittingly or unwittingly commit human-centered security weaknesses mistakes. That’s why many companies now have cybersecurity orientation or training programs. Employees are being considered as vital players in the effectiveness of an organization’s security posture, so they are equipped with the right knowledge and skills, so at the very least they do not become part of the problem.

The importance and challenges of continuous security testing

No matter how small the window of opportunity for an attack is, relentless cybercriminals will stop at nothing to make the most out of it and land a successful assault. The good thing is that cybersecurity professionals and organizations are now working together to concertedly broaden threat visibility and share the most up-to-date information to as many users as possible to help in promptly and effectively detecting, mitigating, remediating, and preventing cyber attacks.

The globally accessible cyber threat tactics and techniques knowledge base MITRE ATT&CK, in particular, is helping organizations in dealing with the ever-evolving and worsening cyber threats at present. Many incorporate the MITRE ATT&CK framework in their cybersecurity management systems as well as the security posture management platforms provided by third parties.

ISACA, an international IT-focused professional association, fully supports the adoption of continuous security validation, as it increases the cyber resiliency of enterprises. Additionally, it allows organizations to develop cyber threat models that suit their specific situations to focus on higher risk areas and key information assets. It also makes it possible to undertake a methodical analysis of identified security observations.

The problem with continuous security validation, however, is that it is time- and resource-intensive. It is virtually impossible to undertake manually. As such, cybersecurity experts turn to automation and machine learning. Effective cybersecurity platforms nowadays automate many of the tasks involved in security validation and utilize artificial intelligence to evaluate threats and automate responses and prioritization.

Closing the gaps

By now, it should be clear that cybercriminals do not need long hours to defeat cyber defenses. In many cases, there are no adequate defenses to talk about in many organizations. Bad actors just need to find a vulnerability they can exploit and they can achieve their felonious goals in less than an hour. To make sure that does not happen, it is crucial to adopt continuous security testing and promptly address security weaknesses as they are spotted.

Written by Adam Eaton