A new report from Palo Alto Network Inc.’s Unit 42 finds that 85% of organizations have Remote Desktop Protocol internet accessible for at least 25% of the month, leaving them open to ransomware attacks or unauthorized login attempts.

Released today, the 2023 Unit 42 Attack Surface Threat Report digs into the dynamic nature of cloud environments and the speed at which threat actors are exploiting new vulnerabilities. The report details how cybercriminals are exploiting new vulnerabilities within hours of public disclosure and how organizations are finding it difficult to manage their attack surfaces at the speed and scale necessary to combat threat actor automation.

The report argues that organizations have a major attack surface management problem, but many are unaware that they do because they lack full visibility of the various information technology assets and owners. One of the biggest culprits of these unknown risks is remote access service exposures, which account for nearly one of every five issues found on the internet.

Notable findings in the report include the ability for attackers to move at “machine speed,” with the ability to scan the entire IPv4 address space for vulnerable targets in minutes. Of more than 30 Common Vulnerabilities and Exposures analyzed, three were exploited within hours of public disclosure and 63% were exploited within 12 weeks of the public disclosure.

The Unit 42 researchers also analyzed 15 remote code execution vulnerabilities and found that 20% were targeted by ransomware gangs within hours of disclosure and 40% of the vulnerabilities were exploited within eight weeks of publication.

Perhaps not surprisingly, the report found that the cloud is the dominant attack surface, with 80% of security exposures present in cloud environments compared to 19% in on-premise environments.

The exposure of cloud-based IT infrastructure is in part from cloud installations being in a constant state of flux, changing by more than 20% across every industry every month. Nearly half of high-risk, cloud-hosted exposures each month were a result of the constant change in new services going online or old ones being replaced. More than 75% of publicly accessible software development infrastructure exposures were also found in the cloud, making them attractive targets for attackers.

Along with finding that more than 85% of organizations were making RDP internet-accessible for at least 25% of the month, eight of the nine industries studied by Unit 42 had internet-accessible RDP vulnerable to brute-force attacks for at least 25% of the month. Median financial services and state or local government organizations were found to have RDP exposures for the entire month.

Image: Palo Alto Networks