Thursday 7th May 2020

BLOG – Second Order Effects of COVID-19 on the Attack Surface


Following our previous research into the second-order effects of COVID-19 on the current landscape, this piece assesses how the current crisis is affecting efforts to manage known vulnerabilities.

On 16 April, the UK government renewed its restrictions in response to COVID-19, enforcing remote working for those companies able to facilitate it until at least 7 May. This prolonged period of lockdown has introduced additional challenges for those tasked with securing their companies’ sensitive information and assets, and has created new opportunities for adversaries looking to exploit the crisis.

For example, our previous blog featured scan results from our Cyber Risk Rating tool that highlighted the increase in open RDP and VNC ports as a result of the current crisis. Using a similar approach but instead focusing on the data we retrieved from our Cyber Risk Rating tool on one vulnerability, CVE 2019-19781, illustrates this challenge.

CVE-2019-19781 is a vulnerability in Citrix Gateways and Citrix Application Delivery Controllers, which provide a single sign-on for multiple applications. Exploiting the CVE would allow a remote attacker to gain unauthorised access to the instance and execute code, allowing them to compromise the instance. Shortly after its disclosure in January 2020 proof-of-concept exploit code emerged on the code repository GitHub, and lots of different threat actors sought to target it. These included several ransomware groups such as DoppelPaymer and Maze that engage in big-game hunting – when adversaries spend more time and resource conducting tailored compromises of larger and more secure targets with a view to causing more disruption and extracting larger ransom payments.

In the results returned from our vulnerability scanning tool, we’d typically expect a right-skewed distribution (see below, also known as positively skewed distribution) for the detection of most vulnerabilities. This is because we would detect a large number of vulnerable instances as the CVE is first disclosed and before companies have had the opportunity to patch. The number of detections typically falls off pretty quickly as organisations move quickly to patch the CVE, with a longer tail resulting from those organisations that are less efficient in understanding their attack surface and applying patches.

However, our results for passively identifying cases of CVE-2019-19781 among a selected set of 3,000 companies show a rather different-shaped graph, in what is known as a bi-modal distribution. Rather than a gradual drop-off and right-skewed distribution we instead see a second – albeit smaller – spike in detections of the vulnerability within the same dataset of companies. The coincidence of this second peak with the increase in employees working from home as a result of the crisis suggests these companies have been forced to put in place or bring back online services that remain vulnerable.

As we have previously assessed, during the current crisis companies are likely to place a greater emphasis on maintaining the availability of services, at the potential expense of their confidentiality or integrity. However, findings like this highlight the continued potential for these temporary arrangements to be targeted by adversaries, and also the importance of understanding how your company appears from a threat actor’s perspective.

To understand how Orpheus’ Cyber Risk Rating service can help secure you and your supply chain. Contact us to find out your Cyber Risk Rating for free and begin reducing your company’s cyber risk.

[1] Source:



Get our latest cyber intelligence insights straight into your inbox

Fill out the short form below to subscribe to our newsletter so that you never miss out on our cyber intelligence insights and news.