Image: seksan Mongkhonkhamsao/Moment/Getty Images

One key way that cybercriminals compromise organizations and users is by exploiting known security vulnerabilities. As new flaws are discovered all the time, hackers always have plenty of fresh meat from which they can carry out attacks against vulnerable products.

SEE: Incident response policy (TechRepublic Premium)

Of course, one key way that organizations can protect themselves is by patching known security vulnerabilities. But often that task falls by the wayside. Whether due to lack of time or staff or resources, many organizations fail to patch critical security flaws before it’s too late. And that failure is something criminals count on.

In a report published Wednesday, security provider Barracuda looked at how attackers scan for and exploit security holes and how organizations can better protect themselves.

To conduct its research, Barracuda analyzed data from attacks blocked by its products over the past two months. The firm discovered hundreds of thousands of automated scans and attacks per day, with some of those daily numbers jumping into the millions. Recent vulnerabilities patched by Microsoft and VMWare picked up thousands of scans per day.

Microsoft flaws

In March, Microsoft revealed that a China-based group called Hafnium carried out attacks against organizations by exploiting four zero-day vulnerabilities in Exchange Server. In response, Microsoft rolled out several security updates for Exchange Server versions 2013, 2016 and 2019, and urged all organizations to patch their on-premises Exchange installations as quickly as possible.

Barracuda said it saw an increase in scans for these Exchange flaws in March, which makes sense given that they became public at that time. However, the firm said it continues to observe regular scanning for these vulnerabilities around the world. The scans increase from time to time and then drop off.

VMWare flaws

In another incident, this one from February, VMWare was forced to fix serious flaws in its vCenter Server VMware utility that could have allowed attackers to remotely execute code on a vulnerable server. Though the holes were patched on Feb. 24, Barracuda said it sees regular probes for one of the exploits with some occasional downturn in scanning. Still, the firm expects to catch an upswing in these scans as hackers continue to go through a list of known, critical vulnerabilities.

In both cases, attackers regularly scan for vulnerabilities even months after they’ve been patched. They do this because they know that many organizations fail to apply the patches, even those for critical security flaws.

Cyberattacks: when and how

Cybercriminals rely on a certain method to their madness, mapping out not just how to carry out their attacks but when. In its analysis, Barracuda found that automated bots typically launch attacks during a weekday. The reason for this strategy is that attackers may feel they can blend in more with the crowd during a busy workday rather than draw greater attention to themselves on a weekend.

Attackers who exploit security flaws also turn to common attack types. They may perform reconnaissance to get the lay of the land before launching an actual attack. They might adopt a fuzzing approach in which they throw data at a specific system in hopes of finding specific vulnerabilities.

When it’s time to strike, campaigns analyzed by Barracuda from the past couple of months used a few different tactics. The majority turned to OS command injection attacks through which the hackers run arbitrary commands on the operating system as a way to compromise a vulnerable application. Another favorite method was the SQL injection attack whereby malicious SQL statements are injected through a web form or other client interface.

How to protect yourself

To protect your organization against the exploitation of security flaws, Barracuda recommends using a Web Application Firewall or a WAF-as-a-Service product. Also known as Web Application and API Protection services, these types of products consolidate different security components into a single tool. As noted by Barracuda, Gartner offers a review of Web Application Firewalls with information on products from Citrix, FortiWeb, AWS, Imperva, Azure, Barracuda and more.

“Organizations should look for a WAF-as-a-Service or WAAP solution that includes bot mitigation, DDoS protection, API security, and credential stuffing protection—and make sure it is properly configured,” Barracuda said in its report.