Researchers have discovered a cryptojacking campaign exploits an old vulnerability in Cacti’s Network Weathermap plug-in, an open source tool which is used by network administrators to visualize network activity. The vulnerability was disclosed in April 2013 and the patch has been available for almost five years, but attackers are still using it to help mine cryptocurrency in 2018. Patrick Bedwell, VP at Lastline commented below.
Patrick Bedwell, VP at Lastline:
“Threat actors target old vulnerabilities because patch deployment is a difficult and not very sexy aspect of security. Vendors issue patches, but they can’t force users to deploy them. Consequently, attacks target those old vulnerabilities because they know there are still vulnerable systems out there to compromise. In other words, they still target these old vulnerabilities because the attacks are still successful.
AlienVault posted a blog earlier this year showing that of the top 10 vulnerabilities cited in vendor reports its Open Threat Exchange (OTX) in 2017, 2 were from 2012, 1 from 2013 and 1 from 2014.
Deploying patches in a timely manner is essential to avoid being compromised by old vulnerabilities. A related issue is knowing what systems are on the network in the first place–often these unpatched systems are not on a current asset list, and are unknown by the IT team and therefore not patched. They could have been stood up in a test lab by an employee who’s no longer with the organization, or in a remote office where the IT team doesn’t have visibility. In any event, they’re on a network and vulnerable to attack.
So, asset inventory and patch management are two very basic but essential functions that can prevent organizations from being victimized by 5-year old vulnerabilities.”