The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

RDP and Cloud Databases Most Common Targets of Threat Actors

Posted By on Feb 9, 2023

Malicious actors used a variety of methods to gain initial access to victims’ networks but in 2022, cybercriminal groups appeared to focus on Remote Desktop Protocol and attacking cloud databases, according to cyber insurer Coalition. RDP is one of the most common ways that initial access brokers (IABs) and ransomware gangs gain access to victims’ networks and RDP is by far the most common remote-scanning by malicious actors. RDP scanning traffic was very high in 2022, with data collected from Coalition’s honeypots indicating RDP scans accounted for 37.67% of all detected scans. Whenever a new vulnerability is identified in RDP, scans soar as cybercriminals rush to identify targets that can be attacked.

Ransomware continues to be an enormous problem. In 2022, the gangs increasingly targeted cloud databases, especially Elasticsearch and MongoDB databases, a large number of which have been captured by ransomware gangs. The team identified 68,423 hacked MongoDB databases in 2022, and 22,846 Elasticsearch databases that had been ransomed.

The number of new software vulnerabilities has been growing steadily over the past 6 years. In 2022, more than 23,000 new common IT vulnerabilities and exposures (CVEs) were discovered, the highest number of any year to date. Coalition predicts this trend will continue in 2023 and expects more than 1,900 new CVEs to appear each month – a predicted increase of 13% from 2022. Each month Coalition expects an average of 270 high-severity vulnerabilities and 155 critical vulnerabilities to be disclosed and stressed that organizations need to remain vigilant and keep on top of patching and quickly close these security gaps.

With so many vulnerabilities now being reported, keeping on top of patching can be a major challenge. Given the huge number of vulnerabilities security teams need to address, patching is often slow, and that gives hackers a significant window of opportunity to exploit the flaws. Prompt patching is essential, as a majority of newly disclosed CVEs are exploited by cybercriminals within 30 days of the vulnerabilities being made public, with most exploited within 90 days. Exploitation can occur incredibly quickly. For instance, the Fortinet vulnerability, CVE-2022-40684, was exploited within 2 days of the announcement.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Malicious actors typically focus on exploiting a limited set of vulnerabilities. When they discover new vulnerabilities that can be exploited, they tend to stick with their tried and tested exploits and attack as many businesses as possible. While the goal of security teams should be to ensure all vulnerabilities are patched promptly, the huge number of reported vulnerabilities can make that an almost impossible task. The greatest gains can be made by prioritizing patching and ensuring the most commonly exploited vulnerabilities are patched first. The Cybersecurity and Infrastructure Security Agency (CISA) maintains a catalog of known exploited vulnerabilities, and each year publishes a list of the most commonly exploited flaws. All vulnerabilities on these lists should be prioritized and patched first.

Effective prioritization of patching can be a challenge as it is not always clear which vulnerabilities are most likely to be exploited. IT teams often assess vulnerabilities using the Exploit Prediction Scoring System (EPSS) and CVSS severity score, yet this information is not always available when vulnerabilities are first disclosed. Coalition has gotten around this problem by developing the Coalition Exploit Scoring System (CESS), which acts as a scoring system for vulnerabilities. The system uses deep learning models that can predict the CVSS score for a vulnerability based on its description, the likelihood of an exploit being developed quickly based on past exploit availability for CVEs, and the likelihood of exploit usage against Coalition policyholders by modeling past attacks.

“With so many vulnerabilities to address, systems often go unpatched for years, leaving huge swaths of the internet unprotected,” said Coalition in the report.  “Leaders responsible for protecting network security need the most accurate and insightful information to act upon — and they need an effective way to prioritize which CVEs to respond to. We have attempted to provide that necessary context and the CVSS/CESS framework to help cybersecurity leaders and practitioners make informed decisions about their digital risk and react quickly to harmful vulnerabilities.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist