Focus Your Efforts: Vulnerability Validation and the Colonial Pipeline Breach
The power of two CVEs
Most people take it as a given that the gas station down the street will be open and have plenty of gas available, even if the price is higher than they’d like. That assumption was shattered in early May because of two unpatched vulnerabilities in Colonial Pipeline’s network. The attack that crippled the gas supply for the entire east coast didn’t require explosions or forces of nature. In fact, the root of the problem came down to three far more benign factors – phishing, lack of backups, and known vulnerabilities or CVEs. We’ll leave phishing and lack of backups aside except to say you can never over-invest in training and regular backups are a relatively inexpensive way to save a ton of money and time down the road.
We’ll focus on the two known vulnerabilities that DARKSIDE, the hacker group that claimed responsibility for the attack and were subsequently shut down by the FBI, leveraged to get in the door and escalate their privileges once inside. The hacker initially exploited CVE-2021-20016, a SQL injection vulnerability in the SonicWall SMA100 SSL VPN in order to gain access to Colonial’s network. After gaining access, they need to establish their presence and escalate privileges within the target network. One way they do this is by exploiting CVE-2020-1472 which allows them to establish a vulnerable Netlogon secure connection to a domain controller using the Netlogon Remote Protocol. This connection allows them to run an application on a network device and harvest credentials before ultimately exfiltrating and encrypting their target’s data.
Critical vulnerabilities and the attack surface sprawl
These two CVEs have two things in common – they’re both critical with CVSS scores of 9.8 and 10 respectively and they both have a patch or mitigation available. So the 75 Bitcoin question is why were they both left unpatched in production long enough to be exploited? The answer is they were likely buried in a backlog of similarly critical vulnerabilities that had been identified and prioritized by whichever tools Colonial uses to scan its production infrastructure. Every vulnerability in this backlog has to be manually analyzed to determine where it exists in the environment, whether it’s exploitable, and what dependencies exist on the vulnerable components before it can be patched and redeployed. This process takes on average 60-150 days per research by Verizon and a large portion of time is dedicated to determining if the vulnerability is running in memory and exploitable.
The other complicating factor is how quickly the backlog of vulnerabilities grows in an organization. New code is pushed monthly or up to several times a day in highly automated organizations with mature DevOps practices and new vulnerabilities are discovered every day. In 2020 alone, 18325 new CVEs were published and 4377 of them had CVSS ratings of 7 or greater. In short, your attack surface and the vulnerabilities it contains are both constantly growing, making it easy to lose sight of any single critical vulnerability.
Vulnerability validation fights sprawl and focuses your attention on exploitable vulnerabilities
Organizations need to get a clear picture of the exploitable vulnerabilities that comprise their actual attack surface and they need an automated solution that can keep up with the pace of DevOps. Rezilion Validate uses patented Vulnerability Validation technology to determine which of the vulnerabilities identified by your scanners are running in memory and exploitable. Our research shows that often only 30% of vulnerabilities are exploitable which means any time spent triaging the other 70% does nothing to lower your risk of being breached. With an accurate view of the attack surface, security teams can prioritize resources around decreasing risk and removing tech debt from unused code. If you’d like to do 70% less patching while still reducing risk then Click here for a demo of Validate.