Exposed version control repositories, leaked secrets in public code repositories, a subdomain vulnerable to takover, exposed Amazon S3 buckets, and Microsoft Exchange Server servers vulnerable to CVE-2021-42321 exploitation are the most common exploit paths medium to large enterprises left open for attackers in Q1 2022, according to Mandiant.
Opening doors for attackers
The firm has based the list on the most common issues discovered by continuously scanning the external attack surface of its customers from January 1, 2022 to March 31, 2022.
Other, less often encountered potential issues include exposed services and ports, msconfigurations, and specific vulnerabilities (e.g., in SAP, Log4j, etc.).
Those exposures happen mainly do to a lack of timely patching and a perpetual configuration drift in internet-facing assets. Misconfigurations and poor policy implementation are also a prominent reason behind exposed data repositories.
Exposed version control repositories can give attackers access to application source code, configuration files, sensitive data or confidential information; exposed S3 buckets usually contain sensitive company data; secrets such as passwords/authentication credentials, cryptographic keys and API tokens that may inadvertently be added to public code repositories such as GitHub or GitLab or Google Cloud Build could be found by attackers and used to publish malicious code.
“Configuring subdomains to point to a third party service is common practice for almost every organization. However, abandoned subdomains present a subtle but important risk vector,” the company notes.
“Abandoned subdomains pointing to a provider that allows attacker-supplied configuration and code can be used to compromise session credentials or in phishing campaigns.”
Microsoft Exchange Server Vulnerabilities
There is a reason why vulnerabilities in Microsoft Exchange Server always receive attention from attackers and the security community: Exchange Server is one of the most widely used mail solutions, especially by enterprises and governmental organizations, and compromising it allows attackers to access company/government email accounts, send out malicious spam that is more likely to bypass security checks, etc.
Mandiant has singled out several actively exploited vulnerabilities that are still present on many exposed Exchange Server instances: CVE-2021-42321, CVE-2021-31206, CVE-2021-26855 (aka ProxyLogon), and CVE-2021-34473 (aka one of the ProxyShell flaws).
Looking at the external attack surface like attackers do
Enterprises should constantly monitor their ever-changing external attack surface and act quickly when they detect exploitable holes and exploit paths This means not only closing them, but also checking whether attackers might have taken advantage of them during the window of opportunity they provided.
“Establishing a full view of the attack surface allows for cyber threat profile creation, prioritizations of updates and config changes, context for penetration testing, and incident response and remediation,” the company concluded.