BLOG – Second Order Effects of COVID-19 on the Attack Surface
Following our previous research into the second-order effects of COVID-19 on the current landscape, this piece assesses how the current crisis is affecting efforts to manage known vulnerabilities.
On 16 April, the UK government renewed its restrictions in response to COVID-19, enforcing remote working for those companies able to facilitate it until at least 7 May. This prolonged period of lockdown has introduced additional challenges for those tasked with securing their companies’ sensitive information and assets, and has created new opportunities for adversaries looking to exploit the crisis.
For example, our previous blog featured scan results from our Cyber Risk Rating tool that highlighted the increase in open RDP and VNC ports as a result of the current crisis. Using a similar approach but instead focusing on the data we retrieved from our Cyber Risk Rating tool on one vulnerability, CVE 2019-19781, illustrates this challenge.
CVE-2019-19781 is a vulnerability in Citrix Gateways and Citrix Application Delivery Controllers, which provide a single sign-on for multiple applications. Exploiting the CVE would allow a remote attacker to gain unauthorised access to the instance and execute code, allowing them to compromise the instance. Shortly after its disclosure in January 2020 proof-of-concept exploit code emerged on the code repository GitHub, and lots of different threat actors sought to target it. These included several ransomware groups such as DoppelPaymer and Maze that engage in big-game hunting – when adversaries spend more time and resource conducting tailored compromises of larger and more secure targets with a view to causing more disruption and extracting larger ransom payments.
In the results returned from our vulnerability scanning tool, we’d typically expect a right-skewed distribution (see below, also known as positively skewed distribution) for the detection of most vulnerabilities. This is because we would detect a large number of vulnerable instances as the CVE is first disclosed and before companies have had the opportunity to patch. The number of detections typically falls off pretty quickly as organisations move quickly to patch the CVE, with a longer tail resulting from those organisations that are less efficient in understanding their attack surface and applying patches.
However, our results for passively identifying cases of CVE-2019-19781 among a selected set of 3,000 companies show a rather different-shaped graph, in what is known as a bi-modal distribution. Rather than a gradual drop-off and right-skewed distribution we instead see a second – albeit smaller – spike in detections of the vulnerability within the same dataset of companies. The coincidence of this second peak with the increase in employees working from home as a result of the crisis suggests these companies have been forced to put in place or bring back online services that remain vulnerable.
As we have previously assessed, during the current crisis companies are likely to place a greater emphasis on maintaining the availability of services, at the potential expense of their confidentiality or integrity. However, findings like this highlight the continued potential for these temporary arrangements to be targeted by adversaries, and also the importance of understanding how your company appears from a threat actor’s perspective.
Orpheus’ Cyber Risk Rating service can help secure you and your supply chain. To find out your Cyber Risk Rating for free and begin reducing your company’s cyber risk, click here.
Get our latest cyber intelligence insights straight into your inbox
Fill out the short form below to subscribe to our newsletter so that you never miss out on
our cyber intelligence insights and news.
Privacy Overview
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Strictly Necessary Cookies
These cookies are strictly necessary to provide you with services available through our website and to use some of its features. These must be enabled at all times, so that we can save your preferences.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
If you do not enable Strictly Necessary Cookies, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
3rd Party Cookies
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Please enable Strictly Necessary Cookies first so that we can save your preferences!
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Request Demo Access
Fill out your details below and we'll be in touch to arrange demo access for you as soon as
possible.