In cybersecurity, when we talk about vulnerabilities, we mean flaws in software or misconfigurations of systems and applications that can lead to security breaches. According to the Encyclopedia of Management, “a vulnerability refers to a lack of resilience (of a system or an individual) to the effects of a hostile environment. The phenomenon of vulnerability leads to losses.” We find this definition particularly accurate because it introduces an extremely important element that is often overlooked in the IT world: the hostile environment.

We often describe trends in cybersecurity threats on our blog and point to changes that have taken place in this field in recent years. When it comes to vulnerabilities, essentially nothing has changed—vulnerabilities were, are, and will remain an inherent feature of IT systems. What has changed, however, is precisely that hostile environment.

In the past, a vulnerability could be exploited if a company became a target of an attack. Today, organizations become targets because their systems contain vulnerabilities—they lack resilience while operating in a hostile environment.

Let us therefore take a closer look at how cybercriminal groups operate today and how they exploit organizational vulnerabilities.

Initial Access Brokers (IAB): How does the cybercrime ecosystem work?

Cybercrime is a relatively new element of the economy. Even so, some data indicates that it is currently the third-largest economy in the world. Today’s cybercriminal groups operate within an organized ecosystem consisting of a supply chain of providers and buyers functioning on the black market. Among them, an important role is played by IABs (Initial Access Brokers). This is an army of countless individuals and groups specialized in exploiting various vulnerabilities in order to gain access to the assets of random organizations. This access becomes a commodity offered for sale and constitutes the first step of an attack to be leveraged by subsequent cybercriminal groups.

Every time a new, promising vulnerability is disclosed, thousands of IABs get to work. They use automated, efficient, large-scale scanners and OSINT platforms to identify vulnerable systems that are exposed on the internet.

Vulnerabilities and the negative effects of environmental changes in cybersecurity

Most organizations—especially smaller ones—still approach the risk resulting from vulnerabilities with caution.

“We’re not a bank or an arms manufacturer. Why would any cybercriminal group target us?”

As mentioned earlier, cybercriminal organizations have changed their modus operandi in recent years. Companies become targets because they are vulnerable—not because criminals consider a given organization exceptionally valuable and worth stealing from.

Looking for analogies outside the IT domain, one might point to a high-profile public figure who travels through the city center, even in broad daylight, in an armored vehicle accompanied by security. Such protective measures create friction and additional costs, but they are driven by a risk analysis indicating a high probability of a potentially severe attack.

As an average resident of a modern city, we do not use such precautions when going to work or shopping. We are vulnerable, but the risk of attack is low. Now consider whether our behavior would change if our environment were a high-crime district—or if we had to function in a post-apocalyptic world overrun by bloodthirsty zombies.

That is exactly the kind of hostile environment the internet has become. Actors operating in today’s cybercrime ecosystem—especially IABs—act opportunistically. They look for easy, non-resilient targets. As a result, what an organization does and which industry it operates in does not matter. The value of stolen data to attackers is also of limited importance. What matters is the value that data represents to the victim organization and how much it will be willing to pay to keep it confidential or regain access.

Internet-exposed vulnerabilities and ransomware attacks

Recently, the SOC360 team has repeatedly supported companies that experienced ransomware attacks. Each time, we dealt with highly destructive actions resulting in sensitive data leaks and a complete paralysis of the IT environment. In every case, the entry point was a vulnerability in one of the systems exposed to the internet. These organizations’ systems were not protected by advanced technologies and were not being monitored.

Example 1: Ransomware attack on a large manufacturing company

Vulnerabilities:

• A security flaw in the email system
• A network protected only by a popular AV solution in Poland and a firewall
• No monitoring of security systems
• Unnoticed activity by ransomware operators lasting more than a week: access to workstations and servers (including the DC) with domain administrator privileges, data exfiltration, disabling of backup mechanisms
• The attack was discovered only after all assets had been encrypted

Impact:

• Total paralysis of the production process and all IT systems
• Irrecoverable loss of data related to years of R&D on new product projects
• Sensitive data published on the ransomware group’s leak site

Example 2: Ransomware attack on a mid-sized trading company

Vulnerabilities:

• A misconfiguration of the VPN service that enabled access and operations within the LAN
• No advanced security systems or monitoring
• Despite an orderly and well-managed IT environment, ransomware operators’ activity went unnoticed for several weeks
• During that time, they operated using an IT administrator account, during its working hours, leveraging tools already present in the environment (PowerShell, RDP, FileZilla, Advanced IP Scanner, TeamViewer)
• The attack was discovered only after all assets had been encrypted

Impact:

• All IT systems unavailable for two weeks
• Sensitive data published on the ransomware group’s leak site
• Irrecoverable loss of part of the data
• High costs resulting from restoring systems from backups and business downtime
• Partial loss of investor trust in the company’s management

We could tell many such stories. Our team has repeatedly helped remediate the consequences of attacks and supported company boards in regaining control of the situation—while, amid panic and total disorientation, negotiating with ransomware groups. In most cases, after receiving the call and checking the attack surface using Shodan and Censys, we were able to outline the course of events even before taking action on site.

Unfortunately, all these cases look similar: vulnerabilities, the same antivirus and firewall solutions from vendors popular in Poland, no monitoring, lack of cybersecurity expertise, and lack of resilience to a hostile environment.

Vulnerabilities on the internet – protect your organization with SOC/MDR services

The recommendation to keep systems up to date and implement a vulnerability scanning and management program is obvious. For larger organizations, we also recommend implementing an ASM (Attack Surface Management) process focused on continuous attack surface assessment. However, our experience at SOC360 does not allow us to stop at such recommendations.

Operating in a hostile environment requires more than eliminating weak points. It also requires continuous, active defensive actions. In today’s IT landscape, lack of resilience to threats does not mean only software flaws or configuration errors. It also means a lack of technology, processes, and people who actively protect organizations from the consequences of a hostile environment.

If you are interested in increasing your company’s protection—get in touch with us.

This article was prepared entirely by cybersecurity experts—without the use of artificial intelligence tools.