Workload and Application Security Blog

Leave No Apps Behind: Protection from Legacy to Cloud to Containers

Written by Virsec | Dec 14, 2020 5:22:00 PM

Most enterprises are running a mix of new and old applications and platforms. This includes legacy apps that can’t be easily retired and cutting-edge tools in cloud, hybrid, container, and serverless environments. “Leave no apps behind’ means you’ve got to protect everything in your system.

Back-end applications that power our businesses and infrastructures are increasingly complex, distributed, and interconnected. Such connectivity and virtualization of applications have expanded the attack surface and broadened threat exposure.

With attacks on servers skyrocketing, it’s clear that applications and server workloads themselves have become a primary and successful target.

Custom Code, COTS and OTS Software Are Outside Your Control

 

Many security tools look at custom code. It’s vital to ensure your custom code doesn’t have vulnerabilities, or if it does, to learn what they are. Your web application infrastructure might be running on a web server that could be a standard framework. Or perhaps you’ve installed common-off-the-shelf (COTS) software that you don’t control. The majority of businesses are running COTS, which require vigilance.

The number of application vulnerabilities that must be managed has grown dramatically. The NIST National Vulnerability Database tracks more than 20,000 vulnerabilities per year – a threefold increase in just three years. The 2020 Verizon Data Breach Investigation Report reveals that the average time for enterprises to identify and remediate serious vulnerabilities is four to six months. The cost to find and remediate a serious flaw is conservatively estimated to be more than $50K per incident.

Legacy or Modern, Proper Security Must Begin with the Application

On the opposite spectrum of legacy apps, modern applications are being deployed in new ways – virtual, hybrid, cloud, containers, or serverless. This often means these applications reside away from traditional networks and security tools.

As organizations support these multiple platforms and deployment models, it has become more difficult to deliver consistent security. But the one constant is the application. Regardless of how or where deployed, applications provide critical functions and access a company’s “crown jewels” of data or intellectual property. This includes the server workloads on which applications run.

Consistent protection for all applications is needed from legacy to modern apps deployed on servers across various models and networks. Hence, proper security must begin with the application itself.

 

Attacks Continuously Hit Legacy Windows Systems

 

Attacks on legacy systems occur frequently, essentially weekly. Windows software is especially vulnerable. In January, Microsoft announced its End-Of-Life plan for Windows 7. In August, the FBI warned organizations about the risks posed by millions of machines still running on Windows 7. The Bureau warned, “Continuing to use Windows 7 within an enterprise may provide cybercriminals access in to computer systems. As time passes, Windows 7 becomes more vulnerable to exploitation due to lack of security updates and new vulnerabilities discovered.” 

Their warning continued“With fewer customers able to maintain a patched Windows 7 system after its end of life, cybercriminals will continue to view Windows 7 as a soft target.”

 

Many Organizations Didn’t Have Patches to Stop
EternalBlue, WannaCry Or BlueKeep Attacks

 

Hackers discovered weaknesses and perfected their exploits on Windows 7 long ago. The most infamous was EternalBlue, best known as the weapon behind the WannaCry attack in May 2017. EternalBlue is still a frequently used weapon today, utilized in ransomware and cryptomining attacks. In the WannaCry attack, 98% of victims were using Windows 7 and had not implemented the necessary patch.

Attackers also used the BlueKeep exploit against a Zero-Day vulnerability in 2019. They hacked into devices running Windows 7 with enabled RDP endpoints. Though Microsoft offered a patch for both WannaCry and BlueKeep, many organizations never applied them and fell victim to exploits, including hospitals, manufacturers, schools, city and government offices. All of these industries have suffered surges of attacks, and the BlueKeep exploit is still in play.

 

Lucifer Malware Also Strikes Unpatched Windows Systems

 

Another Windows vulnerability that has been exploited this year is a malware dubbed Lucifer. Again, organizations without the available patch were hit with brute force attacks aimed at guessing at login credentials. Once inside, Lucifer carries out cryptomining and DDoS attacks. Lucifer gains entry on system ports such as TCP 1433.

Lucifer was discovered in late May when a research group was looking into the CVE-2019-9081 vulnerability. In the exploit, attackers use Laravel Framework. Perpetrators can hijack this open-source web application framework to carry out remote code execution (RCE) attacks.

Lucifer operators have a wealth of exploits at their fingertips. Their objective is to invade susceptible organizations and bombard them as they work their way down the list of vulnerabilities. NIST ranks vulnerabilities in terms of how dangerous they are, and all on the list below are rated high or critical.

Common Vulnerabilities and Exposures (CVE) ID numbers:

CVE-2019-9081, CVE-2018-1000861, ThinkPHP RCE vulnerabilities (CVE-2018-20062), CVE-2018-7600, CVE-2017-10271, CVE-2017-9791, PHPStudy Backdoor RCE, CVE-2017-0144, CVE-2017-0145, and CVE-2017-8464, CVE-2014-6287.

 

The Never-Ending and Unreliable Cycle of Patching

 

Legacy applications can be especially difficult or impossible to patch. No organization can upgrade all legacy apps overnight. Specialized applications often remain in service long after their platforms have becomeobsolete or are no longer supported. Once the legacy software is obsolete, vulnerabilities remain permanently and pose an ongoing risk to the organization.

Security-by-patching, especially for legacy apps, is a never-ending game of catch-up. Businesses will never win the game and unintended consequences often interrupt the business. Complete security in the real-world requires holistic consideration. All applications must be protected, from old to new, regardless of platform or patch status.

 

 

You Can’t Rely on Air Gapping

 

Legacy apps have been running in organizations for many years. Because they are integral to critical systems, they are firmly established. This makes them difficult if not impossible to upgrade or replace, in part because the downtime required to do so is not an acceptable option.

Years ago, businesses felt more protected using many of these apps because they were air gapped and isolated from the Internet. For instance, the entire world of industrial controls and infrastructure software that drive equipment were originally isolated from other systems. Now, with IT/OT convergence, they have been connected and exposed to the Internet. Connectivity can help make operations more convenient, but it comes at the cost of increased risk.

Infrastructures that support critical functions, such as power grids and water treatment plants are examples of such systems. The general public relies on these systems 24/7, making it especially critical to protect these legacy applications, servers and systems.

 

Virsec Provides Server Protection Anywhere,
Hosting Anything at Anytime

 

Few companies are purely on premise anymore. Most have a collection of environments – from virtualization via the cloud, hybrid environments, containers, to edge devices. Virsec protects application-aware server workloads in any environment. Regardless of whether an application is patched, unpatched, legacy, or running in containers, Virsec’s patented AppMap technology closely monitors its runtime process. If anything goes off track or deviates from the norm in any way, the Virsec security platform instantly identifies and defends the application itself.

You may have a system that is unpatchable or is difficult to patch. Virsec protects the integrity of legacy applications by identifying illicit code modifications as they occur, even without installed software updates or patches. Virsec instantly identifies deviations, preemptively patching systems until updates are installed or covering them if they never can be.

Learn how you can prevent your business from being the next victim of a ransomware attack or data breach. Download our free guide Five Essential Steps for Enterprise Application Security.