The cybercrime attacks of large enterprises has grown in recent months driven by the new work conditions imposed by the COVID-19 pandemic. The threat has increased in many areas including servers that are directly accessible from the internet, domain names, websites, web forms, certificates, third-party applications and components or mobile apps. While some of those changes might be temporary, many are likely to be permanent, straining the ability of existing IT and security teams to manage and secure them.
Security firm RiskIQ, which specializes in digital asset discovery and protection, has used data collected recently by its technology through internet scans to assess the current global attack surface. Over two weeks, the company saw the addition of 2,959,498 new domain names and 772,786,941 new unique hosts to the web.
Nearly half of the websites in the Alexa top 10,000 were running on a known content management platform, which are common targets for hackers because of their popularity. The company also identified 13,222 WordPress plugins running on these websites, such third-party components also a common source of vulnerabilities and breaches.
When looking for known high and critical vulnerabilities, RiskIQ identified at least one potentially vulnerable component running on 2,480 of the Alexa top 10,000 domains. There were 8,121 potentially vulnerable web components in total.
“While some of these instances will have patches or other mitigating controls to prevent the identified vulnerabilities and exposures from being exploited, many will not,” RiskIQ warned in its report.
The internet attack surface of large enterprises
When looking at the internet assets belonging to companies on the FTSE 30 list, the security firm identified 1,967 domain names, 5,422 live websites, 8,427 hosts, 777,049 web pages, 3,609 certificates, 76,324 forms, 2,841 WordPress and Drupal sites, 114,504 IP addresses, 45 mail servers, 7,790 cloud-hosted apps on Amazon and Azure, 26 potentially vulnerable Citrix Netscaler instances, eight potentially vulnerable Palo Alto GlobalProtect instances, nine potentially vulnerable Pulse Connect instances, 25 potentially vulnerable Fortinet instances and 1,464 Remote Access service instances.
On average each company had 324 expired certificates and 25 certificates that use SHA-1 hashing, which is obsolete and blocked, 743 potential test sites exposed to the internet that could pose a risk to data, 385 insecure forms of which 28 were used for authentication, 46 web frameworks with known vulnerabilities, 80 instances of PHP 5.x that reached end of life over a year ago, and 664 web server versions with known vulnerabilities.
“With the boundaries between what’s inside the firewall and what’s outside becoming less and less discernible, an organization’s attack surface—everything it needs to worry about defending—now begins inside the corporate network and extends all the way to the outer reaches of the internet, even into the homes of employees,” RiskIQ said in its report. “For security teams, the sheer depth and breadth of what they need to defend may seem daunting. However, thinking about the internet from an attacker’s perspective—a collection of digital assets that are discoverable by hackers as they research their next campaigns—can put the massive scope of their organization’s attack surface into perspective.”
Vulnerabilities in web assets can be exploited in different ways, from stealing credentials through man-in-the-middle attacks and breaking into databases to full takeover of servers and using them to access other non-public parts of the infrastructure. A common type of attack over the past few years has been the injection of malicious JavaScript code into websites, and this has been used for malvertising, using visitors’ browsers to mine cryptocurrency and steal payment card data from checkout forms — a practice known as web skimming or Magecart attacks, after one of the most prolific groups engaged in this activity.
During March, when online shopping increased significantly due to the COVID-19 pandemic, RiskIQ observed a 30% growth in Magecart web skimmers. So far this year, the company has detected 2,552 Magecart attacks, or 425 per month. Also this year, RiskIQ found cryptomining JavaScript code on 963 websites.
The indirect attack surface
On top of protecting their digital assets on the internet, organizations also must manage threats to their customers and employees, especially as many of their workers now do their jobs from personal devices running inside unsecure home networks. This makes them easier targets to phishing and other online threats because they’re outside the corporate firewalls and Web security gateways.
During the first quarter, RiskIQ identified 21,496 phishing domains that impersonated 478 unique brands, a third of which were from the financial services sector. Furthermore, the company found 720,188 cases of domain infringement across 170 unique brands.
Malicious mobile applications that steal data also pose a risk to employees who are often directed to them by phishing messages on social media platforms or through rogue advertisements that are often displayed by other mobile apps. According to RiskIQ, over the course of last year, around 170,796 blacklisted mobile apps were found across 120 mobile app stores and the open internet. Over 25,000 of those were found in the Google Play Store.
“In today’s world of digital engagement, users sit outside the perimeter along with an increasing number of exposed corporate digital assets—and the majority of the malicious actors,” the company said in its report. “As such, companies need to adopt security strategies that encompass this change. […] Attackers now have far more access points to probe or exploit, with little-to-no security oversight.”