While analysing the data from the attacks blocked by their systems over the past two months, researchers of Barracuda, a trusted partner and leading provider of cloud-enabled security solutions, identified hundreds of thousands of automated scans and attacks per day, with the numbers sometimes spiking into the millions. The data also points towards thousands of scans per day for the recently patched Microsoft and VMware vulnerabilities.
First disclosed in March 2021, the Microsoft vulnerability a.k.a. Hafnium is a server-side request forgery (SSRF) vulnerability in Exchange, which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server. From the information publicly available, CVE-2021-26855 is used to identify vulnerable systems, and the remaining vulnerabilities are chained with this vulnerability to gain access and perform further exploitation, including dropping web shells into the exploited systems.
In March, there was an increase in probing for the vulnerabilities from time to time with regular scans across the sensors and deployments worldwide, which then dropped off to lower levels. Meanwhile, in the case of VMware, CVE-2021- 21972 and CVE-2021-21973 were released on February 24, 2021. There has been regular probing for CVE-2021-21972 with some downturn in the scanning.
Speaking on the latest findings, Murali Urs, Country Manager-Barracuda Networks India said, “Software vulnerabilities, especially hard-hitting ones, continue being scanned for and have been exploited for quite some time after the release of patches and mitigations. Attackers understand that defenders don’t always have the time or bandwidth to keep up with patches all the time, and things slide—providing them with an easy way into the network. We are expecting to see some uptick in the scans from time to time as attackers move through the list of known high-impact vulnerabilities.”