September 13, 2016 By Douglas Bonderud 2 min read

When opportunity knocks, malicious actors are quick to answer. Sometimes they’re met with a locked door after vulnerabilities are patched and security holes sealed. On other occasions, they slip through corporate defenses to wreak havoc.

Attackers Cash In on Vulnerability Report

When a recent vulnerability report from security firm Rapid7 detailed 13 problems with popular network management systems (NMSs), researchers observed a sudden spike in activity on ports using the simple network management protocol (SNMP) as attackers went looking for possible weak spots, Softpedia reported.

On one hand, it’s a job well done. On the other, this hunt is worrisome. Does the need to report vulnerabilities outstrip the potential repercussions of attacker interest?

The Network Nuisance

According to Dark Reading, flaws were found in nine vendor products, including those from Spiceworks, Castle Rock, Opsview and Netikus. All vendors were notified and the vulnerabilities subsequently patched. Rapid7 noted that all the issues stemmed from a lack of machine-to-machine input oversight, in turn making the products susceptible to simple cross-site scripting (XSS) attacks.

It works like this: Cybercriminals hide malicious code in malformed SNMP packets, which are then executed inside the NMS tools, giving attackers a birds-eye view of network-attached components such as servers, routers, printers and firewalls. Once behind corporate lines, attackers can take their time zeroing in on high-value targets, such as payroll-processing PCs or human resources servers that may hold valuable employee data.

It’s no surprise that Rapid7’s disclosure of 13 key vulnerabilities had attackers scrambling to find potential loopholes in new patches or other weak spots that security researchers missed. As Softpedia noted, the Internet Storm Center (ISC) tracked a huge uptick in activity on port 161, which is used by SNMP on honeypot servers.

While there are no reports of any successful attacks on the newly patched NMS after the report dropped, it’s clear that cybercriminals aren’t just groping in the dark — they’re reading security news briefs to see where and when attacks will have the highest chance of success.

The Disclosure Dissonance

Ultimately, it comes down to a discussion of disclosure. Should independent researchers, companies and federal agencies immediately report their findings, even if they represent a potential threat? Common wisdom says to follow Rapid7’s path: Notify the vendors involved, develop a fix and then release the data.

But what if the vendor isn’t willing to talk or won’t acknowledge the problem? What if there’s a massive zero-day threat on the horizon but no developed method of defense?

As noted by Network World, for example, the National Security Agency (NSA) prefers to keep zero-day issues close to the chest, in part as back doors in case of emergency. But this opens up the avenue of extra-country exploitation: What if outside agencies are leveraging the same vulnerabilities that were never made public, and therefore never fixed?

Balancing Act

The Rapid7 vulnerability report speaks to the need for preparation. It’s no longer sufficient to simply find problems and make them public or file a passive report with the product vendor. Security companies must now engage in both the discourse of security defense and be prepared, if necessary, to release flawed files if no resolution is forthcoming.

Put simply, it’s a balancing act. Disclose too early, and attackers have a head start. Disclose too late, and they’ve already been leveraging the vulnerabilities for months. Get it just right, however, and attackers run into honeypots while legitimate security professionals find ways to shore up critical systems.

More from

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today