In its latest release of the Digital Footprint Intelligence (DFI) report, Kaspersky revealed the external threats within the Asia Pacific (APAC), including the 6 key countries in Southeast Asia (SEA).
Based on the results, cybercriminals aggressively hunt for unpatched software, one-day vulnerabilities, and compromised regional remote protocols.
Cybercriminals’ exploitation capabilities
Kaspersky has collected information on 390,497 services available from public networks, revealing that almost every fifth of the vulnerable services in businesses has more than one vulnerability. Having more than one vulnerability in its services would increase the likelihood for cybercriminals to successfully throw an attack.
Relatively, all countries in all industry sectors share the same issues in applying security updates for publicly available services. Most significantly, government institutions (primary personally identifiable information (PII) processors and providers of critical services for citizens) are potential incident-generators by a vast margin.
Singapore has a low number of vulnerabilities and an outstanding low ratio between the number of services and the sum of vulnerabilities in them. In contrast, Vietnam, Indonesia, Thailand, and Malaysia have the highest ratio among SEA countries.
Regarding the share of vulnerabilities with publicly available exploits, 3 countries out of TOP-5 are located in Southeast Asia (SEA) – Malaysia, Vietnam, and the Philippines.
Moreover, Kaspersky experts observed several commonly used vulnerabilities dubbed ProxyShell and ProxyLogon. Exploits for these vulnerabilities are readily available on the Internet, therefore, they can be easily exploited by even a low-skilled attacker.
While ProxyShell is quite common in China and in Vietnam, the Philippines is one of the most affected by this vulnerability, targeting the healthcare industry the most. Other countries also include Thailand (Government bodies), China (Financial), and Indonesia (Industrial).
ProxyShell is a group of vulnerabilities for Microsoft Exchange servers (CVE-2021-31206, CVE-2021-31207 , CVE-2021-34473, and CVE-2021-34523). ProxyLogon group includes CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. The vulnerabilities from both groups enable an actor to bypass authentication and execute code as a privileged user.
The best defense against these vulnerabilities is to keep public-faced systems updated with the latest patches and product versions. Companies should also avoid direct access to Exchange Server from the Internet. Kaspersky products protect against vulnerabilities from both groups – ProxyShell and Proxy-logon.
Credential brute force attacks
A great share of attackers’ initial accesses leading to cybersecurity incidents is related to services with remote access or management features. One of the best-known examples is RDP (Remote Desktop Protocol). Microsoft’s proprietary protocol enables a user to connect to another computer through a network of Windows computers.
RDP is widely used by system administrators and less-technical users to control servers and other PCs remotely, but this tool is also what intruders exploit to penetrate the target computer that usually houses essential corporate resources.
Based on Kaspersky monitoring of 16,003 remote access and management services available for exploit, Indonesia, India, Bangladesh, the Philippines, and Vietnam provide the maximum facilities for attackers to gain remote access.
Government institutions serve over 40% of the attack surface for brute force attacks and credential leak reuse.
“Clearly, cybercriminals are busy uncovering possible entry points in the region. From hunting for unpatched software, one-day vulnerabilities, and exploitable remote access and management services, malicious actors have many options to infect lucrative industries. In short, a cyberattack is like a ticking bomb. While problematic, reports such as our Digital Footprint Intelligence can be used to guide the cybersecurity capacity building of concerned organizations. If you know your weak areas, it’s easier to prioritize,” commented Chris Connell, Managing Director for the Asia Pacific at Kaspersky.
To protect your businesses from such threats, Kaspersky experts also recommend that you:
- Regulate every major change to the network perimeter hosts, including services or applications launching, exposing new APIs, software installation and updating, network devices configuration, and so on. All changes should be reviewed from the perspective of security impact.
- Develop and implement reliable procedures for identifying, installing, and verifying patches for products and systems.
- Focus your defense strategy on detecting lateral movements and data exfiltration to the Internet. Pay special attention to outgoing traffic to see cybercriminal connections. Back up data regularly. Make sure you can quickly access it in an emergency.
- Use solutions like Kaspersky Endpoint Detection and Response and the Kaspersky Managed Detection and Response service, which help to identify and stop the attack in the early stages before the attackers achieve their goals.
- Use a reliable endpoint security solution, such as Kaspersky Endpoint Security for Business (KESB), powered by exploit prevention, behavior detection, and a remediation engine that can roll back malicious actions. KESB also has self-defense mechanisms that can prevent its removal by cybercriminals.
Read the full Digital Footprint Intelligence report for APAC on Securelist.com.