Sergey Nivens - stock.adobe.com
Hackers embrace 5-day workweeks, unpatched vulnerabilities
Bad guys are taking the weekends off too, according to Barracuda Networks, and old bugs that should have been patched months ago continue to be the most-targeted vulnerabilities.
Just as many office workers tend to log off on the weekend, the attackers targeting enterprise networks prefer to operate during the workweek while focusing on unpatched vulnerabilities.
New research from security vendor Barracuda Networks found that Monday through Friday are by far the most common days for cyber attacks as criminals also prefer to keep normal operating hours.
"Earlier we saw that bots follow the course of a workday to perform their attacks, and now we also see the pattern that the workweek is the same whether you are an attacker or a defender," Barracuda said in its report.
"Both these insights show that most attackers seem to take the weekend off, even when running automated tasks," according to Barracuda.
The schedule, it seems, is less about maintaining work-life balance than it is about hiding in plain sight. The researchers believe that by limiting their attacks to times when workers are online, hackers can better traverse networks with less risk of being spotted or raising alarms.
Big bugs lingering
Despite having been out of the news cycle, major unpatched vulnerabilities publicized earlier this year remain extremely popular with attackers. Among the top targets for exploitation over recent months has been CVE-2021-26855, the Microsoft Exchange server-side request forgery bug exploited by a Chinese threat group dubbed Hafnium.
While Microsoft publicized the flaw and issued a patch for the bug and three other related vulnerabilities in March, enough companies and users are far enough behind on their patch installation that criminals continue to probe for the flaw as an exploit target. The White House this week formally attributed the initial Exchange Server attacks to the Chinese government, but security researchers have warned that other threat groups and cybercriminals have targeted and exploited the flaws.
Similarly, the Barracuda researchers noted heavy levels of scanning for CVE-2021-21972, a remote code execution flaw in VMware vCenter Server. Despite having been patched in February, the bug continues to be a reliable one for those looking to gain a foothold within a network.
While getting security patches installed as quickly as possible remains a recommended best practice, the Barracuda team noted that it is not always so simple, particularly for larger networks; organizations need to test patches and downtime for critical servers can be hard to schedule.
"These two data points show that software vulnerabilities, especially hard-hitting ones, continue being scanned for and exploited for quite some time after the release of patches and mitigations," Barracuda noted. "Attackers understand that defenders don't always have the time or bandwidth to keep up with patches all the time and things slide -- providing them with an easy way into the network."